Cairn Legal values the privacy of those who provide personal data to us.  This privacy policy (the “Policy”) describes how and why we collect, store and use personal data, and provides information about individual’s rights.

This Policy applies to both personal data supplied to us either by an individual or by organisations.  We may use personal data supplied to us for any of the purposes as set out in this Policy, or as otherwise disclosed at the point of collection.

Cairn Legal owns and operates the website www.www.cairnlegal.be

1. What terms are used in this Privacy Policy?

In this Policy, we use the terms:

• “we”, “us”, and “our” (and other similar terms) to refer to Cairn Legal SCRL (company number 0825.996.372);
• “personal data” to refer to any information relating to an identified or identifiable natural person (i.e. one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors); and
• “you” and “your” (and other similar terms) to refer to our clients, individuals associated with our clients, contacts, suppliers, job applicants, staff and visitors to the website www.www.cairnlegal.be.
• other terms have the meanings set out in the applicable data protection laws (in particular the General Data Protection Regulation (EU) 2016/679).

2. Who is responsible for your personal data?

Cairn Legal SCRL (BCE/KBO 0825.996.372) is the data controller responsible for your personal data. Our contact details are provided below.

3. Quelles données collectons-nous et traitons-nous ?

We collect and process the following personal data from you:

• Identity and Contact Data, including your name, address, telephone number, date of birth, language, marital status, passport number, employment history, educational or professional background, tax status, employee number, job title and function, seniority and other personal data concerning your preferences relevant to our services;

• Financial and Payment Data, including your bank account and other data necessary for processing payments and fraud prevention, including credit/debit card numbers, security code numbers and other related billing information;
• Business Information, including information provided in the course of the contractual or client relationship between you or your organisation and us, or otherwise voluntarily provided by you or your organisation;
  
  
• Profile and Usage Data, including your preferences in receiving marketing information from us, your communication preferences and information about how you use our products, services, social media pages and website(s) including the services you viewed or searched for, page response times, download errors, length of visits and page interaction information (such as scrolling, clicks, and mouse-overs);
  
  
• Technical Data, including information collected during your visits to our website, the Internet Protocol (IP) address, login data, browser type and version, device type, time zone setting, browser plug-in types and versions, operating system and platform;
  
  
• Physical Access Data, relating to details of your visits to our premises;
  
  
• Sensitive Personal Data: in the course of our client services, we may represent you and/or your organisation in legal matters that require us to collect and use sensitive personal data relating to you (that is information about your racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life and sexual orientation or details of criminal offences, or genetic or biometric data). Where we process sensitive personal data in the course of these and other similar client services, we do so to assist you and/or your organisation to establish, exercise or defend legal claims, or whenever courts are acting in their judicial capacity or to fulfill the rights and obligations of applicable laws.

If you provide information to us about any person other than yourself (your family, employer, employees, counterparties, advisers, suppliers…), you must ensure that they understand how their information will be used, and that they have given their permission for you to disclose it to us and for you to allow us, and our outsourced service providers, to use it. If we need personal data in respect of individuals associated with clients in order to provide legal services we ask our clients to provide this Policy to such individuals as data subjects.

4. How do we collect your personal data?

In the majority of circumstances we will collect personal data (1) from our clients or from third parties acting on behalf of our clients or (2) if you sign up to attend any of our events and/or to receive our communications. In some circumstances (3) we may collect personal data from third parties.

The circumstances in which we can collect personal data about you are the following:

• when you seek legal advice from us;
• when you use any of our services;
• when you offer to provide, or provides, services to us;
• when you correspond with us by phone, email or other electronic means, or in writing, or when you provide other information directly to us, including in conversation with our lawyers, staff, consultants or external providers;
• when you browse, complete a form or make an enquiry or otherwise interact on our website or other online platforms;
• when you attend our seminars, training or other events or sign up to receive information from us;
• by making enquiries from your organisation or other organisations with whom you have dealings such as former employers and educational institutions;
• by making enquiries from third party sources such as government agencies, credit reporting agency, database and information service providers, from publicly available records or non-public records (such as National Register).

Where we need to collect personal data by law or in order to process your instructions or perform a contract we have with you and you fail to provide that data when requested, we may not be able to carry out your instructions or perform the contract we have or are trying to enter into with you. In this case, we may have to cancel our engagement or contract you have with us, but we will notify you if this is the case at the time.

5. How will we use your personal data and on what basis?

We will use your personal data in such a manner as we believe is reasonably necessary only for the following purposes and on the following legal basis:

• The processing is necessary for the performance of a contract you are party to or in order to take steps at your request prior to you entering into a contract with us:
• • Quotes and information : to answer your questions in relation to our Services or to provide you with Services related information (such as demos and price quotation ).
  • Services: to provide our legal services and related services (such as translation for example).
  • Administration: to agree payment arrangements, and to collect our fees and costs owing to us.
  • Client engagement: to register you as a client of us and to carry out certain background searches, as part of our client on-boarding process, to verify whether or not there are any potential issues that may mean we cannot work with a particular person (to identify criminal convictions, politically exposed persons, sanctions or other potential reputation issues).
  • Job applicants: to process applications for employment.
  • Managing supplier relationships: to receive the provision of services from our suppliers (including administration, billing and payment). If a supplier is assisting us in delivering services to our clients we will process personal data to manage that relationship.
• The processing is necessary in order for us to comply with our legal obligations:
• • compliance checks or screening and recording (e.g. anti-money laundering, financial and credit checks, fraud and crime prevention and detection, trade sanctions and embargo laws).
  • maintaining records : for example we must hold your personal data on a suppression file to ensure there is a record of your objection to direct marketing.
  • Compliance with accounting, tax and social security requirements.
• Where you have given consent to the processing of your personal data:
• • to send you legal updates, news about any events we are organising or participating in, and/or other information about us and the services that we or another provides that we believe may be of interest to you.
  • to collect information about your preferences to personalise and improve the quality of our communications with you.
• The processing is necessary for the pursuit of our legitimate interests :
• • to administer and manage our relationship with you, including accounting, auditing, and taking other steps linked to the performance of our business relationship including identifying persons authorised to represent our clients, suppliers or service providers.
  • to carry out background checks, where permitted and where the processing is strictly necessary for the purpose of preventing fraud.
  • to perform analytics (such as trends, sales intelligence, marketing effectiveness).
  • to analyse and improve our services and communications and to monitor compliance with our policies and standards.
  • to manage access to our premises and for security purposes;
  • to ensure our network and information security and prevent or detect security threats, frauds or other criminal or malicious activities.
  • for insurance purposes.
  • to exercise or defend our legal rights or to comply with court orders.
  • to communicate with you to keep you up-to-date on the latest developments, announcements, and other information about our services, events and initiatives (including our newsletters and other information about legal developments ).
  • to collect information about your preferences to personalise and improve the quality of our communications with you.

6. Who else may have access to your personal data?

On occasion, we may need to share your personal data with third parties. We will only share personal data where we are legally permitted to do so.

Where you provide us with personal data as a client, we will assume, unless you instruct us otherwise in writing, that we can disclose your personal data in such manner as we believe is reasonably necessary to provide our services (including as described in this Policy), or as is required under applicable law.

We share your personal data:

• With our business partners, service providers and other affiliated third parties: to enable us to provide our services to you, we may need to share your personal data with our business partners (including accountants, auditors, bailiffs, public notaries, consultants, mediators, or experts and other legal specialists such as law firms for obtaining specialist or foreign legal advice, translators, couriers, or other necessary entities). Our arrangements with external service providers currently cover the provision of support services including IT, money laundering and terrorist financing checks, credit risk reduction and other fraud and crime prevention purposes checks, credit-checking agencies for credit control reasons, events management, document production, business and legal research, secretarial services, marketing and business development and facilities management;
• with courts, law enforcement authorities, regulators, government officials or attorneys or other parties where it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process;
• when disclosures are required by law or regulation: in certain circumstances, please note that we may be required to disclose personal data under applicable law or regulation, including to law enforcement agencies or in connection with proposed or actual legal proceedings.

7. International transfers of Information

When we transfer your personal data to other countries, including in territories outside of the European Economic Area (“EEA”), we will safeguard that information as described in this Policy.

The legal regimes of some countries outside of the EEA do not always offer the same standard of data protection as those inside the EEA, although we will ensure that your personal data is only ever treated in accordance with this Policy. We only transfer personal data to these countries when it is necessary for the services we provide you, or it is necessary for the establishment, exercise or defence of legal claims or subject to safeguards that assure the protection of your personal data, such as European Commission approved standard contractual clauses.

All our subsidiary undertakings and/or affiliates throughout the world ensure a level of data protection at least as protective as that required in the European Economic Area.

For further information, including obtaining a copy of the documents used to protect your information, please contact us using the contact details provided below.

8. Security of your personal data

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We put in place strict confidentiality agreements (including data protection obligations) with our third party service providers.

We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

9. Your rights

• Access: The right of access gives you the right to obtain a copy of your personal data. It helps you to understand how and why we are using your data, and check we are doing it lawfully. There are exceptions to this right, so that access may be denied if, for example, making the information available to you would reveal personal data about another person, or if we are legally prevented from disclosing such information.
• Rectification: You have the right to have inaccurate personal data rectified and to have incomplete personal data completed. We encourage you to contact us using the contact details provided below to let us know if any of your personal data is not accurate or has changed, so that we can keep your personal data up-to-date. We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal data that you provide to us.
• Erasure: You have the right to have your personal data erased. This right is not absolute (for example, we may retain your personal data for a longer period because of our legal obligations) and only applies in certain circumstances (for example if your personal data is no longer necessary for the purposes for which it was collected, or when your personal data have been unlawfully processed).
• Restriction: You have the right to restrict the processing of your personal data in certain circumstances. This means that you can limit the way that we use your personal data where you have a particular reason for wanting the restriction. This may be because you have issues with the content of the information we hold or how we have processed your data.
• Portability: You have the right to request that some of your personal data is provided to you, or to another data controller, in a structured commonly used, machine-readable format. This right to data portability only applies when our lawful basis for processing this information is consent or for the performance of a contract and we are carrying out the processing by automated means (i.e. excluding paper files).
• Objecting: You have the absolute right to object to the processing of your personal data if it is for direct marketing purposes. In others specific circumstances, you also have the right to object to processing of your personal data and to ask us to block, erase and restrict your personal data.
• Automated individual decision-making: You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The right is not absolute and only applies in certain circumstances. You will be specifically informed if we make such automated individual decision.
• Complaints: We are committed to working with you to obtain a fair resolution of any complaint or concerns about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, you have the right to make a complaint with a supervisory authority, in the Member State of your habitual residence, of your place of work or of an alleged infringement of the data protection laws (for Belgium see www.dataprotectionauthority.be and for other countries click here. You also have the right to seek a remedy through the courts.

You may, at any time, exercise any of the above rights, by contacting us using the contact details provided below. If we have doubt about your identity, we may request you to provide us with a proof of your identity, i.e. a copy of your ID card, or passport, or any other valid identifying document.

10. Withdrawal of consent

When personal data is processed on the basis of your consent, you may withdraw consent at any time (this may apply to processing of special categories of personal data where you have instructed us to act on your behalf and includes the following: racial/ethnic origin, political opinions, religious or philosophical beliefs and trade union membership). Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there is another legal ground for the processing.

In the event that you no longer want to receive any marketing communications from us, please use the unsubscribe option (which is in all of our marketing emails to you), or contact us using the contact details provided below. Withdrawal of consent to receive marketing communications will not affect the processing of personal data for the provision of our legal services.

11. How long do we keep your personal data?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements and, where required for us to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled.

Our general retention period, for the personal data which processing is necessary for the performance of a contract, is 10 years starting from the end of the contract or closing of the file.  In some instances there are legal and regulatory exceptions which may require personal data to be held for longer or shorter periods.  If you require further information please contact us using the contact details provided below.

Upon expiry of the applicable retention period we will securely destroy your personal data in accordance with applicable laws and regulations.