Introduction – General obligation of confidentiality
The protection of your personal data and of your business and trade secrets is taken very seriously by us as lawyers. We are already bound to the highest degree of confidentiality by our obligations of professional secrecy. It goes without saying that we will comply with all applicable data protection regulations, in particular those of the EU General Data Protection Regulation (hereinafter: “GDPR”), when processing your personal data. In the following paragraphs, we will explain which of your personal data will be processed by us for what purposes and how you can enforce the rights granted to you under the GDPR.
Personal data und purposes of processing
Whenever you retain our services or enter into a contractual relationship with us, you will disclose personal data and, if applicable, also business and trade secrets; such data may refer to you personally, or to your family members, employees or other third parties. In all cases, we will generally assume that you have been duly authorised to disclose such information.
As a law firm, we are committed to representing your interests with zeal, loyalty and diligence. We are therefore legally obliged to collect all personal data about you that we may require to ensure a conscientious representation. In addition, we will process your personal data on the basis of the retainer agreement, your consent or any other legal basis covered by data protection laws.
We will only collect such personal data as may be necessary for the performance of our legal services or which you have provided to us voluntarily. Please note that if you refuse to provide all or some of the personal data required in connection with the performance of our legal services, we may have to refuse to represent you.
2.2. Case based compliance
Pursuant to regulations for the prevention of money laundering & terrorist financing in law firms, we are in some cases required to comply with strict legal identification, reporting, recordkeeping and other due diligence requirements.
These requirements apply to the following transactions pursuant to Section 8a (1) Bar Statue (Rechtsanwaltsordnung):
- (a) all financial or real estate transactions which we carry out on behalf of and on account of our party, as well as
- (b) planning or execution of transactions to the extent they involve the following:
- purchase or sale of real estate or businesses,
- the management of money, securities or other assets,
- the opening or management of bank accounts, savings accounts or securities accounts, or
- the establishment, operation or administration of trusts, corporations, foundations or similar structures, including the raising of funds necessary for the establishment, operation or administration of corporations.
as far as the order value of the transaction amounts to at least € 15,000.00 and/or if permanent business relationships are established and/or if there are any grounds for suspicion.
In these cases, we are legally obliged to demand sufficient proof of identity and, if applicable, power of representation from clients (in case they are legal entities, from their beneficial owners) and, if applicable, from executive employees or from natural persons or legal entities for whom the client acts as a trustee.
All personal data processed in this context will be deleted after a maximum period of ten years unless we are entitled or obliged to retain them for a longer period based on other legal or contractual obligations (Section 12 (3) Bar Statue (Rechtsanwaltsordnung).
Transmission of data to third parties required in individual cases
When taking care of your interests, it may, on occasion, also prove necessary for us to transfer your data to third parties (e.g. to the counterparty, to substitutes, to insurance companies, to the service providers whom we use and to whom we provide data, etc.), courts or authorities. In addition, an international issue raised in connection with a case may require us to exchange data with foreign correspondence law firms. Your data will only be disclosed in accordance with data protection laws, particularly in connection with our compliance with your orders or on the basis of your prior consent.
Furthermore, we inform you that as part of our legal representation and support, we will regularly obtain factual and case-related information about you from third parties (e.g. search engines, the website of your company). In addition, we may have to disclose your personal data to authorities or courts upon their request. In all such cases, however, we will always make sure that the legal basis is adhered to and that your personal data remains adequately protected.
In order to comply with the regulations for the prevention of money laundering & terrorist financing in law firms (see 2.2.), we may be obliged to verify your data with official compliance databases (e.g. register of beneficial owners, PEP databases, sanctions lists) to the extent necessary for this purpose by involving third-party providers. Your data will only be transmitted to providers of such databases to the extent necessary for this purpose.
Some of the above mentioned recipients of your personal information may be located outside your country or outside the EU/EEA and process your personal information there. The level of data protection in other countries may not be the same as that in Austria. We will ensure that European data protection standards and European data security standards are adhered to at all times. Therefore, we will only transfer your personal data to countries regarding which the EU Commission has determined that they have implemented an adequate level of data protection; alternatively, we will take measures to ensure that all recipients provide an adequate level of data protection by including standard contractual clauses (2010/87/EC and/or 2004/915/EC). Otherwise, your personal data will only be transmitted to third countries subject to your express consent to the transfer of the data after you have been informed of the potential risks that you may incur as a result of such transfers without an adequacy decision and without appropriate guarantees.
We will not store data for longer than is necessary to fulfill our contractual or legal obligations and to defend against possible liability claims.
The protection of your personal data will be ensured through appropriate organisational and technical precautions. These precautions are aimed, in particular, at protecting your data against unauthorised, unlawful or accidental access, processing, loss, use and manipulation.
Notwithstanding our efforts to maintain a consistently high standard of due diligence, it is impossible to rule out that information you provide to us over the Internet may be viewed and used by others.
Please note, therefore, that we accept no liability whatsoever for any disclosure of information as a result of data transmission errors that are not due to any fault or negligence on our part, and/or for any unauthorised access by third parties (e.g. hacker attacks on email accounts or telephones, interception of fax messages).
As a client or generally as a data subject as defined by the GDPR, you are entitled to demand information about your personal data processed by us, their origin and recipients, the duration of their storage and the purpose of data processing. You may, however, exercise this right only to the extent that the disclosure of such information does not violate the attorney’s obligation of professional secrecy.
If we process personal information about you that is incorrect or incomplete, you may request that it be corrected or completed.
You may also request the deletion of any unlawfully processed data. Please note, however, that this only applies to incorrect, incomplete or unlawfully processed data.
If it is unclear whether the personal data processed in relation to you is inaccurate or incomplete or has been improperly processed, you may request that the processing of your data be restricted until the matter in question shall have been finally resolved.
You are entitled to object to the processing of your personal data, provided that such data processing is based on our legitimate interest. If you decide to exercise your right to object, we will ask you to explain your reasons for doing so.
Please note that these rights are complementary, so that you can only request either correction and/or completion of your data, or their deletion.
Please let us know whenever there are any changes to your personal data.
While we strive to protect your privacy and the integrity of your data to the greatest possible extent, disagreements about the way your data is used can never be ruled out completely. If you believe that we are using your data in an inadmissible manner, you are entitled to appeal to the Austrian Data Protection Authority. We hope, however, that you will contact us first, to give us an opportunity of allaying any concerns on your part.
The data controller in respect of all your personal data is:
Gassauer-Fleissner Rechtsanwälte GmbH, Wollzeile 3 / Lugeck 6, 1010 Vienna
Should you have any questions, please do not hesitate to contact us at: firstname.lastname@example.org