Personal data processing policy

Personal data processing policy

Leroy şi Asociaţii SCA (“Leroy” or “firm” or “us” or “we”) is a Romanian law firm, duly established by decision no. 190/20.01.2014 of the Bucharest Bar, headquartered in 10-12 Gheorghe Șonțu Street, 9th Apartment, District 1, 011448 Bucharest, Romania, having the fiscal code 14520429.

Leroy is fully committed to processing the personal data of individuals in compliance with the legal norms in force in Romania, as well as with the principles laid out in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”).

In reaching this objective, we intend to collect, use and maintain the personal data of data subjects in the strictest compliance with data protection requirements.

This policy explains how we may collect, use, store and/or disclose personal data or information about data subjects and describes the rights you may have as a data subject, in respect of your own personal information. Please take a moment to read it carefully.

Content

  1. Concept of personal data
  2. Principles of personal data processing
  3. Purposes of processing your personal data
  4. Legal basis for personal data processing
  5. International transfers
  6. Disclosures
  7. Third party service providers
  8. Keeping information up to date
  9. Security
  10. Retention periods
  11. Security of personal data
  12. Monitoring and Compliance
  13. Your rights
  14. Policy Review

Appendix 1

1. Concept of personal data

“Personal data” means any information (electronic or written) relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is someone who may be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data may also include “special categories of personal data” from which we can determine or infer, or which directly refer to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Judicial data (including information concerning the commission or alleged commission of a criminal offence and any sentence or penalty imposed or “personal data relating to criminal convictions and offences”) shall also be considered sensitive in nature, and may be processed by us in certain cases.

We will only collect special category data if it is strictly necessary for one of the purposes described below. Further information about when and why we may need to do this is set out in Section 3 – Purposes of processing your personal data

2. Principles of personal data processing

The fundamental principles enshrined in the GDPR are as follows:

  • Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (‘purpose limitation’);
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’);
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
3. Purposes of processing your personal data

Leroy shall process your personal information for a variety of purposes, as outlined in the following sections.

(i) Providing legal services

Leroy may process or generate additional information and details about you, during the course of our engagement, for the purpose of providing legal services, as well as accounting and tax purposes. As part of providing legal services, we also conduct public interest tasks, in relation to the justice system, by establishing, exercising or defending our clients’ legal rights.

(ii) Identity, conflict, anti-money laundering and other checks

Such checks may include some or all of the following activities:

  • identity verification;
  • ultimate beneficial ownership of corporate and other legal entities;
  • conflicts checks: to avoid a conflict of interest with any other client of ours;
  • anti-money laundering, proceeds of crime and terrorist financing checks;

These checks are made for legal, regulatory or business reasons and may need to be repeated during the course of our engagement. It is important that you provide us with all necessary information and documents or this may affect our ability to provide services.

(iii) Marketing and business development

The firm collects information for marketing and business development purposes, as well as a part of the general administration of client relationships. We may use your personal details to send you information by e-mail or post, or using social media or social networking sites, about our services, developments in law and practice, brochures, press releases, invitations to events, seminars and talks. In case an event is run or hosted at an external venue, we may need to share your personal details with the event organizer or venue. Only the minimum information will be shared, as necessary for the purposes of running the event.

You may opt out at any time by by clicking the button “Unsubscribe” in any communication sent by Leroy to your e-mail address or by sending us an e-mail at the address office@leroylaw.ro.

(iv) Applications

In case you apply for an internship or a job or in case you seek to engage in a collaboration relationship with us, we will collect certain personal data which are necessary for assessing whether you are fit to join our team. Such information may relate to contact information and the information contained in your application documentation (such as, CV and/or motivation/cover letter), provided by you (such as, academic background and credentials, work experience and previous positions, preferences, personal drives, recommendations and others as such).

4. Legal basis for personal data processing

Leroy processes personal data on the following legal bases:

  • The consent of the data subject.
  • The performance of a contract to which the data subject is a party.
  • Compliance with a legal obligation to which Leroy is subject.
  • Protection of the vital interests of the data subject or another natural person.
  • The performance of a task carried out in the public interest or in the exercise of official authority.
  • Legitimate interests pursued by Leroy or a third party, provided such interests do not override the rights and freedoms of the data subject.
5. International transfers

Leroy is a Romanian law firm which may, on occasion, have global connections. For instance, where a client project spans more than one jurisdiction, information will need to be accessed and shared by all the entities involved or working on the project. As a result, your personal information may be transferred outside the country of origin (which includes transfers outside the European Economic Area) and may be accessed by third parties.

Leroy is committed to taking all necessary security and legal precautions to ensuring the safety and integrity of personal data which is being transferred to third entities, outside the EU, EEA or to countries not recognized as having an adequate data protection by the European Commission.

A comprehensive list of states situated outside the EU or EEA, which have been deemed by the European Commission as having an adequate level of data protection, may be accessed at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

6. Disclosures

We may disclose your personal information (i) where this is necessary for the purposes described in Appendix 1, (ii) if required by applicable law; (iii) in connection with a reorganization or merger of our firm with another firm, (iv) if we believe that such disclosure is necessary to enforce or apply terms of engagement and other agreements or otherwise protect and defend Leroy’s rights, property or safety; (v) in order to comply with a judicial proceeding, court order or other legal obligation, or a regulatory or government inquiry; (vi) with your consent, or (vii) if necessary for the performance of a task carried out in the public interest (i.e. as part of our duties and in the sole interest of aiding the justice system).

We would like to underline that Leroy may be subject to certain disclosure/reporting obligations, in case of suspicious transactions and/or other activities as such, to relevant regulatory authorities under anti-money laundering, terrorist financing, insider dealing or other related legislation. The firm may also report suspected criminal activity to the police and other law enforcement bodies, if the case is such. We may not be permitted to inform you about this in advance of the disclosure, or at all.

7. Third party service providers

Leroy will conclude agreements with third parties providing services to Leroy which will address the requirements of relevant privacy laws, as the case may be. Such third parties will be required to use appropriate security measures to protect personal information and will be prohibited from using personal information, other than as instructed by us.

8. Keeping information up to date

We are constantly trying to ensure that your personal data is, to the fullest extent possible, accurate or up-to-date, as well as complete. In realizing this endeavor we also reach out to you and request a helping hand in providing us with the most recent data, including contact details and address, as well as other relevant information.

Keeping us informed of your information changes may be done either by contacting the person with whom you regularly work with (Managing Partner or Engagement Partner) or by sending an e-mail at the address office@leroylaw.ro.

9. Security

Your personal data will be secured by us, by taking security measures proportionate to the sensitivity of your personal data processed. To this end, we implement appropriate physical, technical, and administrative security measures to protect your personal data against theft, accidental loss, unauthorized modification, unauthorized or accidental access, processing, deletion, use, disclosure or copying or accidental or unlawful destruction.

10. Retention periods

The firm will retain personal information only for as long as it is either legally required, if the case is such, or needed for the purposes described in Section 3 above, in order to establish, exercise or defend our legal rights, or for archiving purposes.

11. Security of personal data

Leroy adopts appropriate technical and organizational measures to ensure the security of personal data, in accordance with Article 32 of the GDPR. These measures include, but are not limited to:

  • ensuring the confidentiality, integrity, availability, and resilience of processing systems and services – Leroy has also implemented and maintains an Information Management Security System for legal activities that fulfils the requirements of EN ISO/IEC 27001:2023 (ISO/IEC 27001:2022) (ISO ensures that our processes, security measures, and quality control meet the rigorous international standards set by the International Organization for Standardization).
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.
12. Monitoring and Compliance

Leroy continuously monitors compliance with this policy and with applicable data protection regulations. Any breach of this policy may result in disciplinary action and/or legal liability.

13. Your rights

As a data subject, you have the following rights in relation to your personal information:

  • the right to access the personal information held by s about you;
  • the right to have your personal information rectified, for example if it is incomplete or inaccurate;
  • under specific circumstances and subject to applicable law, the right to restrict or object to the processing of your personal information, or request that your personal information is erased;
  • under specific circumstances and subject to applicable law, the right to receive a copy of the personal information which you have provided to the firm, in a structured, commonly used and machine-readable format (known as “data portability”);
  • where you have provided personal information based on your consent, or voluntarily, the right to withdraw your consent at any time, without prejudice to the legality of the processing done before your withdrawal;
  • the right to lodge a complaint with a data protection authority (the website of the Romanian Data Protection Authority is http://www.dataprotection.ro/)
  • you also have the right opt out, free of charge, at each and any time of receiving marketing communications from us.
14. Policy review

This policy is reviewed periodically, at least once a year, or whenever significant legislative or organizational changes occur.

If you have any questions about this policy or intend to exercise one of your abovementioned rights, please feel free to contact us at the address office@leroylaw.ro, or by phone at Tel: +40 (21) 223 03 10 / Mob: +40 744 37 45 46, or by Fax: +40 (21) 223 03 42

Appendix 1

Appendix to the Personal Data Processing Policy:
Detailed information of the personal data we collect, the source of it, why it is needed by us and how may we use it.

No Purpose of processing Personal data Source of the personal data Legal ground for processing
1 The provision of legal services Identification and contact details.
Meetings and calls attended.
Involvement in other matters handled by the firm conflicts checks.
Special categories of personal data, if strictly necessary for the provisions of the legal services.
Directly from the individual or provided by a client or other contact.
Generated by the firm during the client relationship.
Contract, legal obligation, public interest task or legitimate interest, as the case may be.
2 Performing our duties as actors involved in courtly procedures. Identification and contact details.
Special categories of personal data, if strictly necessary for the provisions of the rendered services.
Directly, from the client or as part of our activities, or indirectly as part of the normal course of the proceedings (from the adversary, witness and other relevant actors engaged in courtly proceedings). Contract or public interest task, as the case may be (in relation to the justice system, by establishing, exercising or defending our clients’ legal rights and as part of our duties regarding the sole interest of aiding the justice system).
3 Identity verification and conflict or background checks Identification and contact details.
Special categories of personal data, if strictly necessary for the identity verification and conflict or background checks.
Directly from the individual or from third party sources, such as:
• client contact;
• public registers of company directors and shareholdings;
• regulatory bodies;
• government departments and agencies;
• searches of other publicly available sources.
Contract or legal obligation, as the case may be.
4 Anti-money laundering and other regulatory checks Identification and contact details details.
Special categories of personal data, if required by law in force from time to time.
In addition, depending on the case:
• Criminal activity and offences committed;
• Nationality;
• Payment arrangements and source of finance/funds.
Directly from the individual or from third party sources, such as:
• client contact;
• public registers of company directors and shareholdings;
• regulatory bodies;
• government departments and agencies;
• searches of other publicly available sources.
Legal obligation.
5 Marketing and business development Identification and contact details. Directly from the individual or provided by a client or other contact. Consent or legitimate interest (business need (the development and promotion of legal and related services)).
6 Recruitment Contact information (as above) and personal data provided by the candidate. Directly, from the applicant (intern, regular job applicant/staff, attorney-at-law) itself. Consent of the data subject