Lex-Part Avocats privacy policy

Version : April 21, 2022 (online publication date)

1. Preamble: the importance of data confidentiality at LEX-PART AVOCATS

Since its creation, LEX-PART AVOCATS has taken the greatest care to ensure a strong confidentiality of any data processed by the firm, in strict compliance with our ethical and professional rules and with all French and European laws.

This is why :

– the digital and paper information system is surrounded by strong security measures, which are continuously improved ;

– the members of the firm, whatever their status and the length of time they have been in the firm, are made aware of cybersecurity and the rules resulting from the law of 6 January 1978 and the EU regulation known as GDPR.

LEX-PART AVOCATS’ desire to provide the appropriate level of security for personal data is all the stronger since our firm works with its clients on audit, compliance, advisory and litigation matters relating to personal data protection.

2. Identification and contact details of the data controller

The data collected via our website lex-part.com, or by any other way from you, are processed by our firm as data controller:

 

SELARL INTERBARREAUX CABINET LEX-PART AVOCATS

RCS SAINT-ETIENNE 797 737 780

Registered offce : 7 Place de l’hôtel de ville 42000 SAINT-ETIENNE

Contact : or 04 77 33 12 06 or via the contact form on our website.

3. Identification et contact of our Data protection Officer (DPO)

 

Our firm has appointed a Data Protection Officer, whose contact details are as follows:

 

Mr Romain DE ZAN

Head of the IT/Data department

Mail : rdezan@lex-part.fr

Address and telephone number: identical to those of the data controller

 

You can contact our Data Protection Officer to exercise your rights or for any question related to the processing of your personal data.

4. Some examples of security measures and good practices in force

In order to maintain the security of the data we process, we cannot disclose in detail all the security measures in place.

 

However, our main measures are based on several pillars :

  • Raising user awareness and skills about confidentiality
    • All newcomers are trained in the good practices in place ;
    • This privacy policy is known and accepted by all members of the firm ;
    • Regular memos are sent to inform members of the firm of new good practices, security measures and privacy requirements.
  • Authenticate users and manage permissions
    • The rights of each user are set up on arrival and during their evolution according to the principle of minimising access
    • Access to our servers is only via double authentication
    • Access to user profiles is only via double authentication
    • Remotely, the same level of security is in place.
  • Securing workstations
    • The hard disks and SSDs are fully encrypted.
    • Passwords are changed regularly.
    • The same security is applied to the mobile fleet of our hardware terminals.
  • Protecting the internal IT network
    • Our servers and network infrastructure are surrounded by numerous security measures ;
    • We conduct regular cyber security audits ;
    • Our IT service provider installs updates as they are released;
    • Data and files are stored on our servers in Saint-Etienne (42).
  • Backup and business continuity planning
    • We back up our databases and files in accordance with the recommendations of the ANSSI, in order to ensure business continuity in the event of an IT incident ;
  • Supervise the maintenance and destruction of data
    • Retention periods are defined for each of our processes ;
    • The destruction of paper files is carried out in accordance with our ethical rules ;
    • Digital data is deleted after the file’s archiving period has expired.
  • Managing subcontracting
    • Our data outsourcing relationships are few and far between. Indeed, we wish to maintain our sovereignty over data hosting and security.
    • We choose French partners, guaranteeing data hosting in the European Union.
    • A written contract is concluded with each subcontractor.
  • Securing exchanges with other organisations
    • For sending heavy or highly sensitive or personal files, we provide our SaaS partner’s 100% encrypted tool, hosted in France.
  • Protecting the premises
    • Our premises are under alarm.

5. What data do we process ?

We collect and process in particular the surname, first name, professional contact details and professional data (position, employer) of our contacts.

During the execution of our missions, we may have to process all types of personal data, depending on the nature of the file and the files or documents that you send us.

On the web, the only personal data we collect is your IP address and the content of the contact forms you send us.

6. For what purposes do we process this data?

  • PURPOSE 1 : To carry out our missions

The data you provide us with allows us to analyse and study the legal situation, to develop a strategy for handling the case, to advise, assist or represent you in accordance with the fee agreement we’ve concluded.

  • PURPOSE 2 : To communicate with you in the context of information about our activities

We use your contact details to send you our newsflash (if you subscribed to it), and any correspondence proposing a personalised offer, following our professional rules.

  • PURPOSE 3 : Rules on LCB-FT

The processing of data on the typology of our clientele (natural persons only) (CSP, sector of activity in particular) enables us to comply with our obligations in terms of fight against money laundering and financing of terrorism.

  • PURPOSE 4 : The security of our information system and our website

We collect certain browsing data to enable us to ensure the security of our services and to detect, prevent or trace any attempt at malicious intent or computer intrusion.

  • PURPOSE 5 : Organisation of web conferences and training courses

Certain information enables us to organise these events, to send you the connection link or your invitation, your certificates of achievement, your training materials and satisfaction questionnaires.

7. What is the legal basis for the data processing we carry out?

  • PURPOSE 1 : To carry out our missions

The legal basis for this processing is :

– the legitimate interest of our company when the fee agreement is concluded with a legal entity,

– the execution of a contract when the fee agreement is concluded with a natural person.

  • PURPOSE 2 : To communicate with you in the context of information about our activities

The legal basis for this processing is :

– the legitimate interest of our company in sending our news flashes,

– the consent of the recipient for personalised solicitation correspondence

  • PURPOSE 3 : Rules on LCB-FT

The legal basis for this processing is the legitimate interest of our company.

  • PURPOSE 4 : The security of our information system and our website

The legal basis for this processing is the legitimate interest of our company.

  • PURPOSE 5 : Organisation of web conferences and training courses

The legal basis for this processing is the legitimate interest of our company and the execution of a contract.

 

8. How long do we keep personal data?

  • PURPOSE 1 : To carry out our missions

The data is kept for the entire duration of the mission, which extends from the day of our referral to the day of receipt by you of our letter archiving the file, and then beyond this period for 10 years in paper and/or digital archives.

  • PURPOSE 2 : To communicate with you in the context of information about our activities

The data is kept for the duration of the mission, which extends from the day of our referral to the day you receive our letter archiving the file.

The data may be kept until the end of a period of 3 years from the end of our relationship, unless you object.

  • PURPOSE 3 : Rules on LCB-FT

This processing does not give rise to an additional data retention rule.

  • PURPOSE 4 : The security of our information system and our website

In the context of this purpose, the period of data retention extends until the expiry of the statute of limitations for any legal action.

  • PURPOSE 5 : Organisation of web conferences and training courses

The data is kept for a period of :

  • 3 years for webinars, web conferences and free events;
  • 5 years in the case of paid training courses.

 

9. Who are the recipients of the personal data?

The data we collect may be passed on to our service providers (subcontractors) only for one of the purposes mentioned above.

Our firm does not pass on any personal data either free of charge or for a fee.

Our service providers are data processors. They act solely on our instructions and with the means we have defined. They do not own any of the personal data to which they have access and may not copy or trade in it.

Our partners who may have access to your data

The service providers who have access to the data are as follows:

  • Our external IT service provider AMIELEC, as part of its mission to secure our IT equipment and networks;
  • Our accountant, for accounting documents only (estimates, fee agreements, etc.)
  • Our electronic signature service provider DOCAPOSTE (LA POSTE group);
  • Our partner TRANSFERTPRO, provider of an encrypted file transfer solution hosted in France;
  • Third-party cookie publishers (see our cookies banner on the lex-part.com website);
  • Microsoft, for emails and any content exchanged via Teams and/or OneDrive.

Is your data transferred outside the EU ?

No personal data is transferred outside the European Union, including data hosted by Microsoft, which is contractually guaranteed to be in the European Union.

10. Know and exercise your rights

 

In accordance with the regulations in force and in particular the General Data Protection Regulation (GDPR) and the law on personal data, the persons whose personal data we process have rights relating to this data.

 

Right to object

You have a right to object to the processing of your personal data but only where the processing we are doing is based on our company’s legitimate interest.

If you wish to object to the processing of your personal data, you must justify to us the reasons relating to your particular situation which explain the exercise of your right to object.

We will not be able to comply with your request if the processing is necessary for the exercise of our legal rights, or if we have legitimate reasons for carrying out the processing which override your rights and interests.

 

Where the processing is based on your consent, in particular with regard to personalised solicitation of commercial offers from our firm, you have a right of objection which does not require justification.

 

Rights of access, rectification, deletion, limitation, portability and other rights

You have :

– a right of access to the personal data we process about you.

Where your request is made electronically, we will provide you with a copy of that information in electronic form.

– a right of rectification enabling you to ask us to amend or update your personal data where it is inaccurate or incomplete. We will make the requested changes as soon as possible.

– a right to erasure allowing you to ask us to delete your personal data that is no longer necessary for the purpose for which it was collected. We will proceed with this deletion as soon as possible if your request is justified.

– a right to limit the processing to the mere retention of your personal data, but only in the following cases

o if the accuracy of your data is disputed, until the accuracy of the data is confirmed;

o if the processing is unlawful and you prefer simple retention of your data rather than deletion

o if we no longer need your personal data but it is necessary for us to exercise your legal rights

o if you have exercised your right to object (see above) until the legitimacy of the processing to which you object is verified.

– a right to portability allowing you to ask us to transmit your personal data to a specific third party. Only data provided by you and whose processing is based on your consent or the performance of a contract (see table in Article 3 above) may be transmitted. The exercise of this right may not, however, under any circumstances result in a breach of our ethical rules.

– a right not to be the subject of an automated individual decision.

However, we do not implement such decisions.

– a right to decide what happens to your personal data in the event of your death. You may give us specific instructions on how you wish to exercise the above rights after your death. These directives may also be registered with a trusted digital third party certified by the Commission Nationale de l’Informatique et des Libertés (CNIL). These directives may designate a person responsible for their execution, who is then entitled, when you die, to take cognisance of your directives and request their implementation from us. In the absence of such a designation or, unless otherwise instructed, in the event of your death, your heirs are entitled to take cognisance of your instructions on your death and to request their implementation from us. In the absence of a directive, your heirs may contact us to :

o access the data necessary for the organisation and settlement of your estate,

o to receive communication of digital assets or data relating to family memories,

o close your account with us and object to the further processing of your personal data or have it updated.

 

How to exercise your rights

You can exercise your rights by contacting us by email to our Data Protection Officer at the above address.

If you are writing to us from an unusual email address, you must include a copy of your ID with your request.

Exercising your rights does not give rise to any refusal on our part or to any invoicing, unless the request is manifestly abusive or excessive.

We will give you a reply within one month of your request. This period may be extended by two months for reasons relating to the complexity of your request, the number of requests or any other situation that would prevent us from providing you with a response within the initial one-month period.

 

Right to lodge a complaint with the CNIL

You have the right to make a complaint to the CNIL (Commission Nationale de l’Informatique et des Libertés), which will inform you of the progress of your case and its outcome, as well as the right to legal recourse.

If you live outside France but within the European Union, you may choose to address your complaint to the supervisory authority in your country of residence.

 

Disponibilite et réactivité

Availability and Responsiveness

Proximité et prestations sur mesure

Proximity and Tailor-made services 

Rigueur et pragmatisme

Rigour and Pragmatism

Secret professionnel

Professional secrecy

Clarte des honoraires

Clarity of fees