“REVNIC CRISTIAN ŞI ASOCIAŢII” – LAW FIRM hereinafter refered to as the ”Firm” applies the following policy for confidentiality and for the appropriate protection of personal data and for the thorough compliance with its obligations and responsabilities as Personal Data Controller, as well as Personal Data Processor.
In creating and implementing of this policy, the Firm took into consideration the applicable legistation in this field, including (but without limitation to) the General Data Protecion Regulation EU 2016/679 (“GDPR”).
THE PERSONAL DATA THAT WE PROCESS
Our Firm processes several categories of personal data belonging to our Clients, their representatives and attorneys, the contact persons of our Clients, or to third parties, data that were disclosed to us directely by the Clients or has been otherwise received by the Firm in the course of our professional activity, as follows:
– identification and contact data (given name, surname, nationality, date and place of birth, permanent address or residence, ID series and number or passport number, personal identification number, bank accounts, e-mail addresses, telephone numbers and other such data);
– biometric data (copies of identity documents), regarded by GDPR as sensitive;
– information about the labour agreements and relations, incomes, wealth, education, scientific and professional titles, information about the marital status and family, abilities, hobbies, characteristics, tendencies, talents, official and personal relationships and other such pieces of information;
– data regarded by GDPR as being part of a special category, such as: political and philosophical opinions, beliefs or perspectives, medical or health data, data concerning a natural person’s sexual orientation or sex life, data revealing racial or ethnic origin, genetic data, biometric data comprised in photographies or recordings;
– data relating to criminal convictions and offences or related security measures.
HOW WE PROCESS PERSONAL DATA
The Firm, as a provider of legal services, determines the purposes and means of the processing of personal data according to its own terms and conditions applicable to the services rendered and / or to the purposes provided for under its applicable law (Law no. 51/1995 regarding the legal profession, Professional Bylaws and Law no. 656/2002 for the prevention and sanctioning of money laundering and for the introduction of measures to prevent and combat terrorism financing) and, therefore, with regard to these data processing operations, it will act as an Independent Controller.
Also, the Firm processes personal data as Processor on behalf of a controller (usually when a Client is a personal data Controller). In such cases, the controller (the Client) is the one who determines the purposes of data processing.
In processing of personal data under the Legal Services Agreement, the Firm undertakes to comply with all the obligations applicable, as per the legislation on the protection of personal data, including but not limited to the GDPR provisions.
The Firm makes sure that all our data subjects are properly informed of their rights regarding their data protection, regarding the data that we process and the purposes for which we process their data.
The Firm has appointed a person to be in charge with the protection of personal data, who may be contacted by any of our data subjects, for aspects related to personal data protection, at the following e-mail address: email@example.com
WHAT ARE THE PURPOSES FOR PROCESSING PERSONAL DATA?
The Firm processes personal data in order to:
- Signing and executing, as well as performing of the Legal Services Agreement (performance of law-specific activities such as, yet not limited to: consultancy and legal requests; assistance and legal representation in front of the courts, authorities conducting criminal investigations, authorities with jurisdictional responsibilities, notaries and bailiffs, public administration bodies and institutions, as well as other legal entities in Romania and other countries, according to the law; drafting of legal instruments; certification of the identity of the parties, content and date of documents submitted for this purpose; assisting and representing the interested individuals or legal entities in front of other public authorities with the possibility of certifying the identity of the parties, the content and date of the documents concluded; the defense and the representation with specific legal means of the legitimate rights and interests of individuals and legal entities in their relations with public institutions, authorities and any Romanian or foreign entity; mediation and fiduciary activities carried out under the Civil Code);
- for the performance of a public interest task,
- for the fulfilment of a legal responsibility of the Firm (such as the fulfilment of tax obligations; the fulfilment of our legal obligation to keep accounting records; the fulfilment of our professional obligation to keep registries of the contracts concluded by the Firm and of the documents for which we have certified the date; the fulfilment of the legal obligation to archive);
- for the fulfilment of a legal obligation or legitimate interest, as applicable.
We process biometric data (copies of identity documents) considered by GDPR to be sensitive data submitted by the Client to the Firm, under Law no. 51/1995 regarding the legal profession, Professional Bylaws and Law no. 656/2002 for the prevention and sanctioning of money laundering and for the introduction of measures to prevent and combat terrorism financing.
As per paragrapg 9 of GDPR, we process data regarded by GDPR to be sensitive data, disclosed to the Firm directely by the Client or otherwise received by the Firm in the course of our professional activity, regarding the Client or third-party subjects, such as: political and philosophical opinions, beliefs or perspectives, medical or health data, data concerning a natural person’s sexual orientation or sex life, data revealing racial or ethnic origin, genetic data, biometric data comprised in photographies or recordings, to the extent that such data are needed for the performance of the legal activities that are object of the Legal Services Agreement, for presenting and proving of Client’s position in court or in front of other authorities and institutions or for issuing of a precise legal opinion, as per Client’s requests.
As per paragrapf 10 of GDPR, according to our position, responsibilities and obligations that we, as attornies-at-law, have in the criminal procedures, or in other jurisdictional or administrative procedures, we process data relating to criminal convictions and offences or related security measures, authorised thereof by the legal provisions comprised in Law no. 51/1995 regarding the legal profession, Professional Bylaws, Criminal Code, Criminal Procedure Code and other specific laws and regulations.
We DO NOT use personal data for automated processing or profile creation.
We NEVER make automatic decisions about any data subject.
We DO NOT process data for secondary purposes that are incompatible with the purposes for which we have collected it.
OTHER RECIPIENTS TO WHOM WE TRANSMIT PERSONAL DATA
In order to perform the Legal Services Agreement, to fulfil our legal obligations or other legitimate purposes, we may transmit personal data to court authorities, criminal investigation bodies, judicial authorities, notaries and bailiffs, public administration bodies, external consultants, financial or banking institutions, authorized persons to whom we have outsourced certain services and other categories of recipients from Romania or the European Union / European Economic Area or abroad, but always ensuring that we provide adequate guarantees to protect the data.
FOR HOW LONG DO WE STORE PERSONAL DATA?
The personal data that we collect is processed throughout our contractual relationship and, upon completion, at least for the period required by applicable laws, including, but not limited to, the archiving provisions.
We periodically review the collected data, analyzing the extent to which it is necessary to store the data collected, for legitimate interests, or for our compliance with the legal obligations. Data that is no longer needed will be deleted and the documents destroyed or annonymized. Our standard period for archiving the documents, as per our internal policy, is 7 to 10 years after completion of the contractual relationship.
As a personal data Controller, as well as a Processor on behalf of our Clients, the Firm implements appropriate technical and organizational measures in order to ensure the security and confidentiality of the data.
We strictly comply with and ensure professional secrecy. Confidentiality represents for us not only a professional responsibility, but also an essential value.
In order to ensure data protection, we use internal procedures and strategies comprising appropriate technical and organizational measures.
We implemented physical security measures (professional services for surveilance and protection, access permission strictly based on authorized access codes) and also electronic security measures (use of encrypted data bases, use of high-performance antivirus software), in order to protect our venues and electronic systems from any unauthorized access or other possible threats to the security of the data and of the information that we control and process.
The technology that we use, including the applications for document management, Clients data base management and for invoicing ensures the security of the personal data and of the information that we process. We use professional services for technical assitence and maintanance of our technological systems, software and hardware.
In the agreements with our suppliers and the entities that we authorize to process data on our behalf, we make sure to have appropriate provisions in order for the data and information we transmit to be thoroughly protected.
We thoroughly restrict the access to the personal data that we process, by using levels of confidentiality that allow access strictly to the lawyers, employees and external collaborators who necessarily need to access the data in order to complete the tasks and fulfil obligations that we have undertaken in the legal consultancy agreements with our Clients or in order to fulfil our legal obligations.
We use appropriate internal procedures regarding information, data and documents flow within the Firm, which minimize the risk of data leak to unauthorized people.
We make sure that we include appropriate confidentiality protection provisions in the agreements with the lawyers who are part of our Firm, as well as with our employees and our external collaborators.
We permanently take care to provide appropriate information and training to our employees and collaborators regarding the relevant legal provisions and the best practice in the field of protecting the personal data and information.
The Firm complies with its legal obligations in case of data security breach, by informing the Client without undue delay about any such incident.
THE RIGHTS OF DATA SUBJECTS AND HOW THEY MAY BE EXERCISED
Starting May 25th, 2018, according to GDPR, any data subject (any natural person that we process personal data about) has the following rights:
The right to be informed – the data subject has the right to access the personal data concerning him or her;
The right to rectification – the data subject has the right to obtain from us the rectification of inaccurate personal data concerning him or her;
The right to erase the data (”right to be forgotten”) – the data subject has the right to obtain from us the erasure of personal data concerning him or her in case their processing was not legal, or in other cases provided for by the law;
The right to restriction of processing – the data subject has the right to obtain from us restriction of processing of personal data concerning him or her in case they have objections regarding the accuracy of the data, as well as in other cases provided for by the law;
The right to object – the data subject has the right to object to our processing of their personal data, especially to the processing of data which is based on our legitimate interest;
The right to data portability – under certain conditions, the data subject has the right to receive the personal data concerning him or her, which he or she has provided to us, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from our Firm;
The right to withdraw the consent – in case the processing is based on the data subject consent, he or she may withdraw it anytime. The withdrawal of consent will only take effect for the future, and the processing made before the withdrawal will remain valid;
The right to lodge a complaint – the data subject has the right to lodge a complaint with the National Supervision Authority for Personal Data Processing, regarding the methods of personal data processing.
Any interested party may exercise these rights, either individually or collectively, by submitting a request to our registered office in Cluj-Napoca, No. 1, Pavel Rosca Street, apartment no. 7, Cluj County, fax no. 0264-599 743 or by e-mail at firstname.lastname@example.org