Last updated: 18 February 2020
Index
- Privacy Statement
- Glossary
- The Data Controller
- LEXA Core Activity – Service Catalog and Lawful Basis
- WHAT Personal Data is “treated” by LEXA
- WHAT “Treatment” occurs over Personal Data
- HOW is Personal Data Security, Privacy and Confidentiality assured
- WHY and with WHO is Personal Data Shared
- For HOW LONG is Personal Data maintained
- HOW to exercise Data Subjects’ rights
- LEXA’ DPO
Privacy Statement
“Personal Data” is what enables other individuals or companies to identify you and get to know you; meaning, whereas a minimum amount of Personal Data (e.g. name, registry number, and e-mail) enables any third party to univocally identify you; another type of Personal Data (e.g. football club, wine preferences, favorite movie) enables those entities to get to know you.
Personal Data may render you at risk if accessed by unauthorized hill intended 3rd parties.
LEXA (both as an organization as each of its staff members) is perfectly aware of this fact, and that is why a set of Policies, Operational Processes, and mechanisms (technological and human-based) has been developed to ensure that the Personal Data entrusted by you to LEXA will be maintained, handled and shared in a manner that ensures its Security, Accuracy, Confidentiality, and Privacy, hence ensuring your Personal Data Protection.
GDPR is (at present Date) the most advanced and demanding piece of legislation towards Personal Data Protection, ruling and establishing requirements that must be followed by companies and individuals towards having in place a “Modus Operandi” that ensures your Personal Data to be safely handled by third parties not rendering you at risk, and that is why LEXA has adopted it as a Corporate Guideline (more than “just” a Legal Obligation).
Applicability
LEXA reserves the right to modify this Privacy Policy at all times by posting an updated version on its websites.
The Data Controller
LEXA Sociedade de Advogados established in Rua 1º de Dezembro, 22; 2560-300 Torres Vedras – Portugal (operating under the brand “LEXA”) is the entity that acts as the Data Controller for the purpose of this Privacy Policy and all data processing practices herein contemplated. All questions or requests regarding the processing of the personal data under our control or processing may be addressed to freitas.serrano@lexa.pt
LEXA DPO contacts
Mr. Rui Serrano
Country: Portugal, European Union
email – freitas.serrano@lexa.pt
phone – +351932579434
LEXA Core Activity – Service Catalog and “Lawful Basis”
LEXA renders a set of services towards both natural persons as other companies, which successful completion requires “Personal Data Processing Activities”.
Under this scope, LEXA’ Service Catalog comprehends the following services and applicable “Lawful Basis” for processing Personal Data (respectively), meaning how is LEXA permitted by law to process “Personal Data” under such services scope:
- Reaching out to prospect Corporate Clients
LEXA, in general, does not directly reach out to natural persons (per se) with whom it has no established relationship. Such action occurs where those natural persons act as Corporate Representatives deriving from their role/ responsibility within a given organization, yet (although under a B2B perspective) while observing by the GDPR Article 14.
Nevertheless (being a B2B context), the “Lawful Basis” towards directly reaching out to such prospects’ representatives, consists of Legitimate Interest under the GDPR article 14.
- Legal Consultation
This service consists of a Legal Counselor being able to listen to a given natural person’ doubts or any events/ incidents that may have impacted or may come to impact on their Personal Life with Legal repercussions or impact; assessing the context at hand and then providing guidance/ reassurance and/ or legal advice on how to should that Data Subject proceed.
Where the Data Subject’s intention end up being one of not moving forward to the Legal Sponsoring Service, LEXA will maintain the gathered Data/ information for the period of 1 year in order to be able to support the Data Subject if needed be, however that information is maintained accessible only by that lawyer and her/ his direct support staff/ or replacement lawyer.
The Lawful Basis in the case of this service consists of “Explicit Consent”.
The Data Subject surrenders his/ her Personal Data (which is relevant to enable the Consultation Service) on their own free will and having understood the context, purpose, and scope of this service (and inherent “Personal Data Processing Activities”), hence while providing their Consent to it.
- Legal Sponsoring
Following a Legal Consultation, the Data Subject may decide to be represented before the legal system and under the Law by LEXA
In this case, the applicable Lawful Basis for Processing by LEXA consists of the fulfillment of Contractual Obligations clearly defined and ruled under the Portuguese Legislation (Article 20 of the CRP and the articles 12 and 15 of the “Lei da Organização do Sistema Judiciario”), since the Lawyer has been hired by the Data Subject to represent him/her before the Legal System and under the Law.
Such a Service also comprehends a “forensic mandate” by the Data Subject towards the Lawyer as per ruled under the article 44 of the CPC.
- Contracts creation and registries towards public sector
A Contract is a legal positive and affirmative declaration by the parties towards what is encompassed in its clauses and terms with binding legal validity while its provisions are specific and do not violate the applicable legislation.
While support the creation of a contract which suites the need to clarify an interaction relationship between the parties and where those parties are natural persons or it is required to have registered and described in the contract Personal Data pertaining to representatives of the parties who are natural persons, those Data Subjects surrender their Personal Data (which is relevant/mandatory by law in terms of the contract context/ scope and purpose) while providing their Explicit Consent for the purpose at hand, meaning the creating of such a Contract and any legally required accessory proceedings
- “Notary acts”
Some legal acts (not exclusively but where some contracts are included), require registry by specific national Notary Services. Since such is a legal requirement under the Portuguese Law (as well as some other countries legislation), where applicable, the proceedings that lead to such registries and which may require sharing Personal Data pertaining to the Data Subjects whom are referred to on the Contract/ documentation being submitted, occurs under the lawful base of a Legal Obligation.
WHAT “Personal Data” is subject to Processing by LEXA
In the case of LEXA the following categories of Personal Data will be directly processed:
- Contact Data (e.g. Name; Email; Phone number)
- Location Data (e.g. Home address; Country; City; State)
- Personal Information (e.g. Gender; Birth Date; Children)
- Financial Data (e.g. Annual income; electronic payment username)
- Consuming habits (e.g. Consuming habits; usual purchasing place)
- Fiscal Data (e.g. Fiscal number; Fiscal history)
- Financial Data (e.g. Banking information; Investments; Shareholding)
- Circumstantial Legal Context – meaning the set of events and/ or incidents that led the Data Subject to resort to LEXA under the scope of Legal Counselling/ sponsorship
- Labor information (e.g. job description; employer)
- Training and Education (e.g. school backlog; specific courses)
The univocal identification and documentation of the “Data Subject”
In those cases where “Data Subjects” who may interact with LEXA cannot be identified in presence or through Login credentials on a platform managed by LEXA; the identification/ authentication of the natural person as the Data Subejct will takeplace through two-factor authentication consisting of sending/ receiving messages that imply some action or permission/ objection to “Personal Data Processing Activities” by e-mail and having it confirmed with a unique individual code that has been previously conveyed to those “Data Subjects” by SMS towards their mobile phones.
WHAT Treatment occurs over “Personal Data”
Gathering/ Collection
As previously mentioned, although in general LEXA exclusively gathers the Personal Data directly from the Data Subjects themselves, when they reach out to LEXA’s offices and legal team (mostly on-site and in presence), it may happen that LEXA gathers a minimum amount of “Personal Data” that enables to entice contact with a “Data Subject” from a 3rd party source.
In such case the type of “Personal Data” collected consists of basic minimum Contact and Location Data as well as Personal Information that is relevant to decide whom will be contacted, namely (yet not exclusively):
- Name
- Phone number
- Country, City, State
Where “Personal Data” was collected from a 3rd party (including “public sources”), LEXA will act as per “GDPR” Article 14 ruling, meaning the “Data Subject” will be contacted and informed about which type of “Personal Data” was gathered by LEXA, for which purpose and from which source and the “Data Subject” will be requested to provide his/ her Explicit Consent towards “Personal Data” Processing under the conveyed service scope.
If the “Data Subject” either does not reply within 28 days or his/ her answer is of not consenting towards LEXA Processing his/ her “Personal Data”, LEXA shall erase the “Personal Data” which has been collected about that “Data Subject”.
To prevent further contact within the same scope, the “Data Subject’s” Name and e-mail address will be “blacklisted” (therefore maintained by LEXA) on a dedicated repository that is accessible to relevant internal Departments only.
When a Data Subject visits LEXA’ websites, session cookie files are either placed on his/ her browser device, or the website reads such already existing files.
LEXA exclusively uses those cookies that record information about the “IT architecture and Landscape” of the device being used by the visitor (e.g. browser; browsing preferences; other…) to allow the user interface to be tuned so the visit experience is “functional” as per the website content, nevertheless, without identifying that visitor personally (as a Data Subject).
This information, except for IP addresses, is never combined with the data pertaining to either Clients, thus not leading to the identification and habits “profiling” of any particular Data Subject.
IP addresses are exclusively cross-referenced with other data for the purpose of safekeeping the company from fraud attempts plus with regards to “Customers” documenting operations by (1) verifying the identity of a person signing in, and (2) making records of your consent and other legally binding actions (Legitimate Interest).
The IP address is also used (while segregated) for the purposes of web analytics (via Google Analytics).
For detailed information about cookies in use and similar employed technologies please refer to the Cookies Policy.
Storing
LEXA is a Lawyers’ Firm, which means that the Data and Information will be stored both in Digital as well as physical (paper based) form (even because in some cases the Law does so require).
Nevertheless, paper-based information has its lifecycle reduced to the absolute minimum possible and solely depending on “legal requirements”. Paper-based information that is no longer “live” (in the sense of an on-going legal process) but however, it must still be maintained, it kept on the Company Archive at the basement of the building and with digitally encoded access via electronic lock (password).
LEXA Service “IT Landscape” consists of a core dedicated Service Platform for legal processes management as well as a dedicated and isolated in-house file server structure, maintained on a secure Data Center (controlled access) at the office building.
Processing
“Personal Data Processing Activities”, consist of Legal Counseling/ Sponsorship/ Representation and Contract Management activities as per defined under the European and Portuguese legislation.
As a European Union established company, LEXA observes the GDPR towards any and all natural persons regardless of their geographic location or residency.
Sharing
LEXA does not share Personal Data with any entities out of what is permitted and defined by Law under the scope of the activity of a Law Firm, a lawyer and judicial proceedings.
International Data Transfers
Under its regular operation, LEXA does not share or transfer Personal Data with entities established on “3rd countries” (meaning not the EU Member States nor within the European Economic Area), therefore not enjoying an adequacy qualification by the European Commission pursuant to GDPR Article 45 ruling, such as Belize, Bosnia and Herzegovina, and Russia.
However there may be circumstances where such sharing becomes a requisite of on-going legal proceedings and where that is the case, LEXA will act exclusively as permitted by EU and Portuguese Law and/ or where applicable with the Data Subject’s Explicit Consent, having taken (up to its capacity) the needed measures to ensure the secure transfer of such Personal Data.
To make such transfers fully compliant with the GDPR, LEXA will further attempt at having a Data Processing Agreement in place with those 3rd parties with which it may be required to share Personal Data (unless under a court order or an existing legal requirement/ proceeding).
Such Data Processing Agreements shall then include the EU Standard Contractual Clauses in accordance with Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.
HOW is “Personal Data” Security, Privacy and Confidentiality assured
LEXA has its “IT Landscape” configured and monitored under the strictest Security market standards and it has reviewed and adopted changes to its operational processes in a manner that ensures compliance with the requirements posed under “GDPR” towards “Personal Data” Protection. This means to assure its Confidentiality and Privacy while under “Personal Data Processing Activities” performed by itself and its “Partners” within the scope of LEXA rendered services.
For HOW LONG is “Personal Data” maintained
Data retention is one major potential risk generator towards “Personal Data”, since having the Data available means it may be accessed if a “Personal Data Breach” occurs.
LEXA has set the Data Retention periods according to its services’ lifecycle and existing legal requirements, so that in one hand the company will not hold to “Personal Data” for any day longer that it is effectively necessary and on the other hand the risk of having needed information deleted prior to the end of its lifecycle is minimized.
HOW to exercise “Data Subjects’” rights
“GDPR” configures a set of rights that assist the “Data Subjects”, namely:
- Right of Access
The right to know whether data pertaining to him/ herself is being “Treated” by the organization and if so to be informed of which “Personal Data” is it (Article 15).
Nevertheless the Data Subject must bear in mind that as a Law Firm, there may be some legal proceedings that the Law allows the Lawyer to maintain confidential (even from the Data Subject); again, the GDPR does not overrule other applicable local legislation.
- Right to Rectification
The right to have the company updating any inaccurate “Personal Data” (Article 16).
- Right to Erasure
Also known as the Right to be Forgotten (R2BF) means that any “Data Subject” may request LEXA to erase all “Personal Data” that pertains him/ her from its repositories and inform/ have its “Processors” doing the same (Article 17).
Please note that “GDPR” does not overrule local legislation, hence in some cases, LEXA may not be able to immediately (or at all) comply with such “Data Subject” request.
- Restriction of Processing
The right to limit the processing of the “Data Subject’s” “Personal Data” (Article 18).
Processing derives the needs and requirements of LEXA’ Services (being rendered towards the “Data Subject”). Some services are independent, meaning they may be delivered if other services are not, whereas other services require accessory services that enable them. This means that restricting some processing activities may render the inherent service as well as other services undeliverable plus, some services may also be mandatory by law under running legal proceedings.
- Right to be Informed
LEXA will inform the “Data Subject” if any rectification, erasure or rectification of processing has taken place (Article 19).
So, the “Data Subject” has the right to be informed and will be by LEXA if any “Personal Data Processing Activities” activity changes towards his/ her “Personal Data”, including but not limited to, changes in service scope and most relevant in case of any “Personal Data Breach” which may have affected the “Data Subject’s” “Personal Data” (which will be conveyed within a period of 72 hours upon the incident).
Please bear in mind once more that there are some legal requisites that may render this rights not applicable depending on circumstances covered by local legislation.
- The right to Data Portability
The “Data Subject” is entitled to request and shall have his/ her “Personal Data” directly transmitted from LEXA to another “Controller” of his/ her choice, where technically feasible or to receive such “Personal Data” in an intelligible format so he/ she may provide it to that other “Processor” (Article 20).
- Right to Object
The right to instruct LEXA not to process his/ her “Personal Data” (Article 21).
Again, depending on which specific type of processing and its lawful base, the fact that the “Data Subject” requests LEXA to stop the processing activities does not necessarily mean that LEXA is obliged to or even allowed by Law to comply with the request.
- The right to stop Automated Decisions over “Personal Data”
The right to request LEXA to stop “Personal Data” Processing which derives from software automated triggers (Article 22).
Besides the Cookies being used, which the Data Subject may disable through “Cookies Management”, LEXA does not proceed with Automated Processing.
- The right to present a formal complaint
The Data Subject has the right to present a complaint towards the Supervisory Authority of his/ her EU Member State or the European Data Protection Board (EDPB) if not a resident in the EU. Such complaint submission entitles the Data Subject to benefit from binding arbitration from such Supervisory Authority with regards to the lawfulness of Personal Data Processing activities over Data that pertains to him/ her.
Any “Data Subject” may exercise his/ her rights under “GDPR” by reaching out to LEXA’ “DPO” through the e-mail address freitas.serrano@lexa.pt.
If you have any questions, complaints or wish to exercise your rights under “GDPR”, please do make clear on your message:
- Purpose: Question; Complaint; Exercise of the “Data Subject’s” rights under “GDPR”
- WHAT triggered your need to contact us?
- WHEN did the root cause which triggered the need to contact us took place?
- If a Member, your Member ID or if not a mobile phone number or alternative personal e-mail address so we may proceed with a two-factor authentication process.
Why the need to provide alternative personal contact?
Under “GDPR” only the “Data Subject” may exercise his/ her rights, hence companies must ensure and document that the “Data Subject” or his/ her legal representatives are the ones interacting with the company while acting over his/ her “Personal Data”. The way to ensure such “authentication” with regards to “Data Subjects” who do not have digital credentials on any LEXA web-based platforms is to forward a code to that “Data Subject” via an alternative communication channel to the standard e-mail address which served the purpose of the initial contact and have a code generated by LEXA included on all messages that pertain the exercise of “Data Subjects’” rights or actions over such “Data Subject’” “Personal Data”.
Glossary
“Affiliate” means any entity that directly or indirectly controls, is controlled by or is under common control with each Party. Whereas “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the Party.
“Controller” means the “Party” which determines the “Personal Data” which is forward to the other “Party” under the “Services” scope, and the inherent “Personal Data” Treatment” purposes, processes and/ or workflows which must be observed by the other “Party” within the mutual relationship.
“Data Protection Officer”/ “DPO” means the natural person within a company who bear the responsibility of ensuring corporate compliance towards “GDPR” (as per defined under this Regulation), both by means of monitoring compliance status as well as acting towards the organization and management structure informing those about existing non-conformity points and the need for the organization to act upon them in order to make them compliant with “GDPR” rules, guidelines and requirements.
“Data Subject” means the identified or identifiable natural person to whom “Personal Data” relates. Both Parties understand that the “Data Subject” is the sole owner of “Personal Data” which pertains to him/ her.
“Data Subjects’ Rights” means the rights established towards the “Data Subjects” under “GDPR”. Please check the item below under the title “HOW to exercise Data Subjects’ rights”
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the “Personal Data” Treatment” and on the free movement of such data, while
Repealing and replacing the Directive 95/46/EC from May 25th, 2018 onwards.
“IT Landscape” means the set of IT assets and services of and at the disposal of each “Party” that enables their “Personal Data” Treatment” operation, meaning the communications infrastructure (LAN, WAN, Wi-Fi networks), Data Center and technical rooms, Cloud-based services, workstations, software systems and tools, mobile devices in use, peripheral IT devices, Firewalls and web-based resources.
“Lawful Basis” means the enlisted lawful grounds that a company has to entice “Personal Data” Treatment” activities under “GDPR”, namely (but not limited to) having documented: the “Data Subject’” Explicit Consent towards “Personal Data” Treatment” activities; the company Legitimate Interest in proceeding with ““Personal Data” Treatment” activities; accessory legal obligations that the company must observe and which entitled it to proceed with “Personal Data Processing Activities” activities within the limits of such ruling and inherent obligations; other as per defined under “GDPR”.
“Partner” means any 3rd party entity towards which each “Party” may resort in order to ensure “Personal Data Processing Activities” under a “Lawful Basis” (as established by “GDPR”) and within the scope of agreed “Services”.
“Personal Data” means any data which by itself or when cross-referenced with other data enables one to univocally identify one given natural person, the “Data Subject”.
“Personal Data Processing Activities” means any operation or set of operations which is performed upon “Personal Data”, whether or not by automated means, such as collection/ retrieval; accessing (consultation, use); processing (organization, structuring, adaptation or alteration); storage (recording, erasure or destruction); sharing (disclosure by transmission, dissemination or otherwise making available, publishing).
“Personal Data Breach” means any “event” or “incident” (as per ITIL definition) which enables the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to “Personal Data”.
“Processor” means the entity which proceeds with authorized “Personal Data Processing Activities” (under this DPA and the “Agreement”) on behalf of the “Controller”.
“Service Catalog” means the set of Services rendered by LEXA that requires “Personal Data Processing Activities”.
“Sub-processor” means any “Processor” engaged by any of the “Parties” which performs complimentary “Personal Data Processing Activities” within the scope of the “Services”.