Policy on the Personal Data of Clients / Contacts
1 – Preamble
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, known as the General Data Protection Regulation (hereinafter “GDPR”), sets the legal framework applicable to the processing of personal data.
The GDPR strengthens the rights and obligations of data controllers, processors, data subjects, and recipients of data.
In the course of its activities, MARTIN and ASSOCIATES law firm processes personal data that includes the data of its clients and contacts.
For a clear understanding of this policy, it is specified that:
“client(s)” refers to any natural or legal person who is a client of the Firm;
“contact(s)” refers to any natural or legal person in contact with the Firm but is not a client (prospects, relations, partners, etc.);
“data controller” refers to the natural or legal person who determines the purposes and means of processing personal data. Under this policy, the data controller is the Firm;
“processor” refers to any natural or legal person who processes personal data on behalf of the data controller. In practice, this includes service providers with whom the Firm works and who handle the personal data it processes;
“data subjects” refer to individuals who can be identified, directly or indirectly. In this context, they are referred to as “client” or “contact”;
“recipients” refer to natural or legal persons who receive communication of personal data. Recipients of data can include both internal recipients and external entities (support service providers, the judicial administration and its auxiliaries, regulatory bodies, etc.).
The GDPR, in Article 12, requires that data subjects be informed of their rights in a concise, transparent, understandable, and easily accessible manner.
2 – Purpose
To meet its needs, the Firm implements and processes personal data concerning its clients and contacts. This policy aims to fulfill the information obligation of the Firm and to formalize the rights and obligations of its clients and contacts regarding the processing of their personal data.
3 – Scope
4 – General Principles and Commitment
No processing is carried out by the Firm regarding client and contact data unless it concerns personal data collected by or for our services or processed in relation to our services and adheres to the general principles of the GDPR. Any new processing, modification, or deletion of an existing processing will be communicated to clients and contacts through an update to this policy.
5 – Types of Data Collected
NON-TECHNICAL DATA (depending on use cases):
Identification: name, first name, gender, title, pseudonym, social media pseudonym
Contact information: telephone, email address, postal address, fax, etc.
Photos when you grant us this right (usually taken during events or interviews for our YouTube channel)
Personal life (family or financial) when necessary for the processing of a case
Banking data if necessary
TECHNICAL DATA (depending on use cases)
Identification data (IP)
Connection data (logs, in particular)
Consent-related data (clicks), mainly for online subscriptions
The Firm does not process sensitive data as defined in Article 9 of the GDPR, except for those specified in Article 9.2(f), i.e., data necessary “for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity.”
6 – Data Sources
The Firm collects data from its clients and contacts from:
Data provided by the client in the context of a case entrusted to the Firm (client file);
Electronic forms or sheets filled out by the client (attendance sheet, post-conference satisfaction form);
Registration or subscription to our online services (website, social media, YouTube channel, etc.);
Registration for events organized by the Firm;
Lists provided by organizers of events or conferences in which we participate;
Exchanges via social media.
Exceptionally, we may rent databases.
7 – Purposes of Processing
Depending on the cases, the Firm processes your data for the following purposes:
Processing cases entrusted to the Firm;
Customer relationship management (CRM);
Management of events organized by the Firm (conferences, breakfasts, etc.);
Sending newsletters or information updates;
Responding to questions asked (by phone or online);
Responding to public or private tender offers;
Sending greetings and other congratulations on behalf of the Firm;
Improving our services;
Meeting our administrative obligations;
Complying with AML/CFT obligations.
8- Legal Basis
The processing purposes presented above are based on the following legal conditions:
Clients: Pre-contractual or contractual performance
Contacts: Legitimate interest and, when required by law, consent
9 – Data Recipients
The Firm ensures that data is only accessible to authorized internal or external recipients.
Service providers or support services (e.g., translation service, IT service provider, reprography, etc.)
Judicial administration, legal auxiliaries, colleagues, experts, representatives, bailiffs, investigators, etc.
10 – Data Retention Period
The data retention period is defined by the Firm in light of the legal and contractual constraints it faces. It is determined as part of its data retention policy. After the deadlines set in the said policy, data is either deleted or retained after anonymization, mainly for statistical purposes. Clients and contacts are reminded that deletion or anonymization are irreversible operations, and the Firm cannot restore the data afterward.
11- Right of Access (Right to Obtain a Copy)
Clients and contacts traditionally have the right to ask the Firm to confirm whether data concerning them is being processed. Clients and contacts also have the right of access, which is subject to the following rules:
The request comes from the individual themselves and is accompanied by a copy of a current ID;
The request must be made in writing to the following address: MARTIN and ASSOCIATES, 15 quai Jean Moulin, 69002 LYON or via email to: email@example.com
Clients and contacts have the right to request a copy of their personal data being processed by the Firm. However, in case of additional copy requests, the Firm may require clients and contacts to bear the financial cost.
If clients and contacts request a copy of the data electronically, the requested information will be provided in a commonly used electronic format, unless otherwise requested. Clients and contacts are informed that this right of access does not apply to confidential information or data that the law prohibits from being disclosed. This right does not provide access to documents and materials entrusted to the Firm and subject to professional confidentiality. The right of access must not be exercised in an abusive manner, meaning it should not be used regularly solely to disrupt the Firm.
12 – Updating – Amendment and Rectification
This right can be exercised with your usual contact, or in the absence thereof, with the Communications Department of the Firm. To allow for regular updating of the personal data collected by the Firm, the Firm may request clients and contacts to fulfill such requests. The Firm cannot be held responsible for a lack of updates if clients or contacts do not update their data.
13 – Right to Erasure
The right to erasure of data for clients and contacts will not apply when the processing is carried out to comply with a legal obligation. In situations other than this, clients and contacts can request the erasure of their data in the following limited cases:
When personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
When the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
When the data subject objects to processing necessary for the legitimate interests pursued by the Firm, and there are no compelling legitimate grounds for the processing;
When the data subject objects to the processing of their personal data for direct marketing, including profiling;
When personal data has been unlawfully processed.
14 – Right to Restriction
Clients and contacts are informed that this right does not apply as the processing carried out by the Firm is lawful, and all personal data collected is necessary for the performance of the commercial contract.
15 – Right to Data Portability
The Firm allows for data portability in the specific case of data provided by clients or contacts themselves, on online services offered by the Firm, and for purposes based solely on the consent of individuals. In this case, data will be provided in a structured, commonly used, and machine-readable format.
16 – Automated Individual Decision-Making
The Firm does not carry out automated individual decision-making.
17 – Post-Mortem Right
Clients and contacts are informed that they have the right to issue directives concerning the retention, erasure, and communication of their data after their death. Specific post-mortem directives and the exercise of their rights are carried out by email to the address: firstname.lastname@example.org or by postal mail to the following address: 15 quai Jean Moulin, 69002 LYON, accompanied by a signed copy of an identity document.
18 – Justification
For all the mentioned rights enjoyed by clients or contacts and in accordance with the legislation on the protection of personal data, it is stated that these are individual rights that can only be exercised by the data subject regarding their own information. To fulfill this obligation, we will verify the identity of the data subject.
19 – Optional or Mandatory Nature of Responses
Clients and contacts are informed on each personal data collection form about the obligatory or optional nature of responses by the presence of an asterisk. In cases where responses are mandatory, the Firm explains the consequences of not providing a response.
20 – Right of Use
Clients and contacts grant the Firm the right to use and process their personal data for the purposes mentioned above. However, enriched data resulting from the Firm’s processing and analysis work, referred to as enriched data, remain the exclusive property of the Firm (usage analysis, statistics, etc.).
21 – Subcontracting
The Firm informs its clients and contacts that it may engage any subcontractor of its choice in the processing of their personal data. In this case, the Firm ensures that the subcontractor complies with its obligations under the GDPR. The Firm undertakes to sign a written contract with all its subcontractors and imposes on subcontractors the same data protection obligations as itself. Furthermore, the Firm reserves the right to conduct an audit of its subcontractors to ensure compliance with the provisions of the GDPR.
22 – Security
It is the responsibility of the Firm to define and implement technical security measures, whether physical or logical, that it deems appropriate to prevent the destruction, loss, alteration, or unauthorized disclosure of data, whether accidental or unlawful. Among these measures are mainly:
The use of security measures for access to premises (office closures, badges, etc.);
Security for accessing our computers and smartphones (regularly modified access code);
Login and password for all our business applications;
Authorization management for data access (specifically for our financial and accounting services and communication);
VPN for remote connections;
Complex Wi-Fi network password changed every month.
To do this, the Firm may enlist the assistance of any third party of its choice to conduct vulnerability audits or intrusion tests as often as it deems necessary.
In any case, the Firm undertakes, in the event of changes to the means used to ensure the security and confidentiality of personal data, to replace them with means of higher performance. No change may result in a regression in the level of security. In case of subcontracting a part or all of a personal data processing operation, the Firm commits to contractually imposing security guarantees on its subcontractors through technical measures for protecting this data and appropriate human resources.
23 – Data Breach
In the event of a personal data breach, the Firm undertakes to notify the supervisory authority (CNIL) in accordance with the GDPR. If such a breach poses a high risk to clients and contacts and their data has not been protected, the Firm will:
Notify the affected clients and contacts;
Provide the affected clients and contacts with the necessary information and recommendations.
24 – Data Protection Officer
The Firm has appointed a Data Protection Officer (DPO) for personal data. The contact details of our DPO are as follows:
Mr. Olivier MARTIN – Partner Lawyer
15 quai Jean Moulin, 69002 LYON
Phone: 04 81 91 74 20
25 – Register of Processing Activities
The Firm is not required to implement a register of processing activities.
26 – Right to Lodge a Complaint with the CNIL
Clients and contacts affected by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they believe that the processing of their personal data does not comply with European data protection regulations. The CNIL’s address is as follows:
CNIL – Complaints Department
3, place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Phone: 01 53 73 22 22
27 – Changes
This policy may be amended or adjusted at any time in the event of legal, jurisprudential, or CNIL decisions and recommendations or industry practices. Any new version of this policy will be brought to the attention of clients and contacts by any means chosen by the Firm, including electronic means (email distribution or online, for example).
28 – For More Information
For any additional information, you can contact our designated contact at the following email address: email@example.com. For more general information on personal data protection, you can consult the CNIL website at www.cnil.fr.