The protection of your privacy and the security of your personal data in accordance with the General Data Protection Regulation (2016/679) (GDPR) and the underlying (implementation) laws and regulations, including but not limited to the Dutch GDPR Implementation Act, is of great importance to Finnius advocaten B.V. (Finnius). This Privacy Statement describes how we process and protect your personal data.
In accordance with Article 13 and Article 14 GDPR, this Privacy Statement contains information about:
- What is considered personal data and how we obtain such personal data;
- The purposes for which and the bases on which we process your personal data;
- The period during which we store your personal data;
- The parties to whom we disclose your personal data;
- In what manner your personal data is protected; and
- The rights you have in respect of your personal data processed by Finnius.
This Privacy Statement is intended for natural persons whose personal data Finnius processes, in particular clients of Finnius, prospects of Finnius, persons who have subscribed to newsletters from Finnius and the suppliers of Finnius (i.e. parties from which Finnius purchases services such as, for example, software or printer suppliers, courier service providers and the accountant).
Employees or other natural persons engaged with Finnius in a similar relationship, please refer to the Internal Privacy Statement to learn how Finnius processes your personal data.
What are personal data?
Personal data as defined in the GDPR means any information relating to an identified or identifiable natural person (‘data subject’). Int this respect, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
We process the following personal data:
- general personal information such as your first and last name, middle name, title;
- contact details such as your e-mail address, mailing address, place of residence and telephone number;
- information for billing purposes, such as your bank account number;
- other personal data you provide to us in the context of our legal services, including – depending on the legal services requested – personal data of close relatives or family members. This may also include special personal data (bijzondere persoonsgegevens) and/or personal data relating to criminal convictions or criminal facts (strafrechtelijke persoonsgegevens);
- personal data that we may be required to request on the basis of the Dutch Anti-Money Laundering and Prevention of Terrorism Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme, Wwft) before providing our legal services, such as, for example, a copy of your passport or ID (in which the national security number is shielded); and
- personal data you provide us in the context of attending events or meetings, such as accessibility and dietary requirements and wishes.
We process your personal data because you have provided this data to us. For example, you provide data when entering into an agreement with us or by giving us your business card. We may also process your personal data by acquiring it from other (public) sources, such as a concerned lawyer, counterparties, the trade register of the Chamber of Commerce, the Land Registry (Kadaster) or by using public sources such as Google. If your personal data is obtained from third parties, Finnius will inform you separately about the categories of personal data provided.
Purposes and bases for processing personal data
Finnius processes your personal data exclusively for the following purposes:
- the provision of our legal services, which include advising, litigating and supervising investigations and transactions, and the performance of the (contractual) arrangements underlying such legal services;
- maintaining our records;
- issuing and collecting invoices;
- complying with legal and regulatory obligations, such as conducting client due diligence pursuant to the Wwft;
- organizing marketing and business development activities, such as sending newsletters, invitations to our events and other marketing communications that may be of interest to you; and
- Handling your application or registration for one of our events.
We process your personal data on the basis of one or more of the following legal bases (please refer to Article 6 GDPR):
- the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;
- the compliance with a legal obligation to which Finnius is subject;
- the purpose of the legitimate interests pursued by Finnius or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data; or
- your consent to such processing.
A legitimate interest for processing your personal data is the use of your general personal data and contact details for direct marketing purposes of Finnius. In addition, we may use your personal data to put you in contact with one of our relations, for example in the context of a referral. If Finnius processes personal data on the basis of the processing ground legitimate interest, it will make the relevant assessment according to the then applicable requirements pursuant to the GDPR and relevant related legislation and case law.
When Finnius processes your personal data based on your consent, Finnius will request such consent from you specifically and under separate cover. You may withdraw your consent at any time. Please also refer to the section “Your rights” below.
If Finnius intends to process your personal data for a purpose other than that reflected above, Finnius will inform you of such other purpose and any relevant further information prior to the start of the processing of your personal data pursuant to such basis.
Transfer of personal data to third parties
In certain cases, we may disclose your personal information to third parties, such as:
- Third parties relevant to our legal services, such as counterparties, attorneys, courts, regulatory agencies and government agencies;
- Third parties, such as regulators and other agencies, to comply with our legal obligations;
- Third parties who process your personal data on behalf of and on the instructions of Finnius (processors) for the purposes described in this Privacy Statement, for example in the context of the storage of personal data in our CRM system.
The sharing of your personal data with these third parties is done only for the purposes and only on the bases reflected in this Privacy Statement.
Third parties to whom we provide your personal data are themselves responsible for compliance with privacy laws. Finnius is neither responsible nor liable for the processing of your personal data by these third parties. To the extent that a third party processes your personal data in the capacity of a processor (within the meaning of the GDPR) of Finnius, Finnius shall enter into a processing agreement with such third party that complies with the requirements described in the GDPR.
In order to provide our services, we may need to transfer your personal data to a third party based in a country outside the European Economic Area (EEA). An example hereof is the situation where we provide your personal data to an opposing party, a judicial authority or a regulator based outside the EEA. Finnius regularly conducts litigation in Aruba, Bonaire and Curaçao. In addition, its advisory practice extends to, amongst others, the United States and the United Kingdom. With respect to the United Kingdom, the European Commission issued an adequacy decision on June 28, 2021. This means that the United Kingdom guarantees an adequate level of protection. In respect of the other countries mentioned above, no adequacy decision has been made at the date of this Privacy Statement. In such cases, Finnius will ensure that such transfers of personal data comply with the GDPR and other applicable laws and regulations, and will take additional measures to protect your personal data where possible. At the time we will transfer your personal data to a country outside the EEA, we will inform you prior to the transfer about these protection measures and whether a copy of these measures can be obtained or where this can be accessed.
How long do we keep your data?
Finnius does not retain personal data processed in an identifiable form longer than necessary for the aforementioned purposes of data processing or as required under applicable laws and regulations.
More specifically, Finnius uses the following retention periods:
- The files of cases handled by Finnius are kept in accordance with the Dutch Bar Association’s Handbook on Archiving at the Law Office for at least five years (and longer if required by law);
- Personal data processed under Article 33 Wwft in relation to customer due diligence shall be retained for a period of at least five years after the termination of the business relationship or after the execution of the transaction concerned. Personal data processed pursuant to Article 34 Wwft for the purpose of the reporting an intended or pursued unusual transaction are retained for a period of at least five years as of the date on which the reporting has been performed or the moment of receiving a message from the Financial Intelligence Unit, respectively;
- Personal data that must be administered pursuant to Section 52 of the Dutch General Tax Act (Algemene wet inzake rijksbelastingen (AWR)) shall be retained for seven years (as of the end of the year in which the data in question have lost their current relevance for the (tax) conduct of business) in connection with Finnius’ tax retention obligation under Section 52(4) AWR,
provided that the specific retention periods mentioned above may be extended if legal retention obligations are/are applicable.
Your personal data will be deleted in any case if:
- it appears that your (e-mail) address is no longer in use (for example, when error messages are received);
- your personal data is processed and/or stored based on consent and you revoke the consent;
- the basis on which your personal data is processed by Finnius ceases to exist or the processing of personal data is no longer required for the pursued purpose of such processing, for example, if your company ceases to exist or if your case has closed and you have not been a customer of Finnius or have not had any contact with Finnius in a period of 5 years;
- the legal retention periods for keeping your personal data have expired.
Right to access, rectification, data erasure, restriction of or object to processing and data portability
You have the right to access, rectification or data erasure of your personal data processed by Finnius, subject to the legal grounds for exception in relation to the right to data erasure under Article 17(3) of the GDPR. You also have the right to request restriction of processing, to object to processing and the right to data portability (dataportabiliteit).
To the extent that the processing of your personal data is pursuant to the legal or contractual basis for processing or processing is a necessary condition for entering into a contract with Finnius, and you are not willing to provide such personal data, this could possibly result in Finnius not being able to provide its services to you because the processing of your personal data is necessary for the provision of its services or because Finnius requires such processing of your personal data in order to comply with legal obligations applicable to it. Finnius would inform you of such consequence.
Object to processing pursuant to legitimate interest
To the extent that your personal data is processed by Finnius based on its legitimate interest, you have the right to object to this processing. This also applies if your personal data is used for direct marketing.
You may submit such an objection in writing to Finnius advocaten B.V., Jollemanhof 20 A, 1019 GW Amsterdam, or by email to firstname.lastname@example.org.
Right to unsubscribe from direct marketing
At the bottom of every digital mailing you receive from Finnius, you can change your mail preferences via the “unsubscribe” link. Every other mailing you receive from Finnius will state how you can unsubscribe. Thus, you can withdraw your consent to the processing of your personal data in respect of direct marketing at any time.
Right to withdraw consent
To the extent that your personal data are processed pursuant to consent provided by you, you have the right to withdraw this consent at any time. Finnius reminds you that the withdrawal of your consent does not affect the lawfulness of the processing of your personal data prior to the date of the withdrawal of your consent. Should the withdrawal of your consent affect Finnius’ services, Finnius will notify you accordingly.
No automated decision-making
Finnius does not use automated decision-making (including profiling within the meaning of Article 22 GDPR).
When will you receive a response to your request?
Finnius only accepts requests that relate to your own personal data.
Finnius will notify you of any rectification, restriction or erasure of your personal data in accordance with Articles 16, 17 and 18 of the GDPR, unless this proves to be impossible or requires disproportionate effort. Finnius will always inform you hereof should you explicitly request it.
A request to exercise any of the aforementioned rights or to revoke previously granted consent may be made in writing to Finnius advocaten B.V., Jollemanhof 20 A, 1019 GW Amsterdam, or by email to email@example.com. In principle, Finnius will inform you within one (1) month after receipt of your request whether Finnius can fulfill your request. This period may be extended by two (2) months in specific cases, for example if there is a complex request or multiple requests. Finnius will inform you about such an extension at the latest within one (1) month after receipt of your request. Pursuant to privacy legislation, Finnius may refuse your request under certain circumstances, for example due to the duty of confidentiality (geheimhoudingsplicht) of lawyers or other legal obligations (such as statutory retention periods). If this is the case, Finnius will explain to you why.
You can also find more information about your privacy rights on the website of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
Request for additional information
In order to be sure that we are providing the relevant personal data to the correct person based on your request, we will ask you to provide a copy of a valid passport, driver’s license or ID card with a shielded passport photo and BSN number, and/or additional information that serves this purpose, for verification purposes.
Questions or comments? Get in touch!
If you have any questions about Finnius’ processing of your personal data or disagree with the processing of your personal data or the way Finnius processes your personal data, you may contact us by email by sending an email to firstname.lastname@example.org.
Finally, you have the right to file a complaint with the Dutch Data Protection Authority (https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/gebruik-uw-privacyrechten/klacht-melden-bij-de-ap).
The security of your personal data
Finnius wants your personal data to be as secure as possible. We therefore strive to transfer your personal data securely from your computer to our servers. Finnius has taken appropriate technical and organizational measures to protect your personal data from loss or any form of unlawful processing. Measures taken include, but are not limited to, protected access to sensitive files, two-factor authentication (2FA) with respect to accessing computers, the CRM system and Outlook in relation to e-mail correspondence.
Finnius periodically assesses whether the measures in place still provide adequate and appropriate protection and will make adjustments as necessary.
Finnius may modify the contents of this Privacy Statement at any time without prior notice or third-party approval. You can review our Privacy Statement on Finnius’ website at any time. We recommend that you do so regularly, and at least at the time you provide your personal data to Finnius. If there are substantial changes that may significantly affect one or more data subjects, Finnius aims to inform these data subjects directly.
If you have any questions or comments about the processing of your personal data or wish to exercise your rights as stated above, please contact Finnius advocaten B.V., Jollemanhof 20 A, 1019 GW Amsterdam, or by email to email@example.com.
Last update: April 2023