Information on processing of personal data
Our law firm protects all personal data processed by us as strictly confidential and handles it in accordance with the applicable data protection legislation. Ensuring the effective protection of our client's personal data is a priority for us.
The following information provided pursuant to Article 13 of Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), provides a general overview of the handling of clients' personal data in connection with the provision of legal services.
Identity and contact details of the data controller
Harbour Legal s.r.o. advokátní kancelář, with registered office at Palác Archa (entrance C), Na Poříčí 1047/26, Prague 1, Postal Code: 110 00, ID No.: 094 64 671, registered in the Commercial Register maintained by the Municipal Court in Prague under file number C 336682.
Purpose of personal data processing
The purpose of the processing of personal data obtained from the client is the provision of legal services (representation in proceedings before courts and other authorities, defence in criminal cases, giving legal advice, drafting of documents, preparation of legal analyses and other forms of legal assistance) and the management of property, including the receipt of money and documents into the attorney's custody.
Clients' personal data is also processed for the purpose of fulfilling the legal obligations of the controller (in particular obligations in terms of accounting and tax legislation), as well as for the purpose of protecting the controller's legitimate interests (e.g. debt recovery).
Categories of personal data processed
Depending on the circumstances of the particular case, the controller processes the following categories of personal data of clients in the scope necessary for the conclusion and performance of the contract for the provision of legal services, the fulfilment of legal obligations and the protection of the controller's legitimate interests:
identification details (name, surname, academic degree, date of birth, birth number, company ID number, VAT number, etc.);
contact details (permanent address, delivery or other contact address, registered office, telephone number, e-mail address, data box ID);
data related to the provision of legal services (depending on the specific case, this may include sensitive personal data);
other personal data necessary for the performance of the legal services contract, the fulfilment of the legal obligations of the controller or the protection of the controller's legitimate interests (e.g. bank account number and transaction details).
Legal basis for processing personal data:
The processing is necessary for the performance of a contract for the provision of legal services to which the client as data subject is a party. The provision of personal data in these cases is a contractual requirement. If the client does not provide the controller with his/her personal data, the controller will not be able to provide the legal services to the client.
The processing is necessary for the implementation of measures taken prior to the conclusion of the legal services contract at the request of the data subject. If the data subject does not provide the controller with his or her personal data, the controller will not be able to carry out the requested measures.
The processing is necessary for the fulfilment of the legal obligations to which the controller is subject if it is an obliged person within the meaning of Act No. 253/2008 Coll., on certain measures against the legalization of the proceeds of crime and terrorist financing, as amended (hereinafter referred to as the "AML Act"). The custodian as a law firm is an obliged person for the purposes of the AML Act when custody of the client's money, securities or other property is provided or when the services requested by the client shall consist of or consist of acting on behalf of or for the account of the client in:
the custody of the client's money, securities, business holdings or other property, including acting on behalf of or for the account of the client in connection with the establishment of an account with a credit institution or a foreign credit institution or a securities account and the administration of such account,
the establishment, management or operation of a company, business grouping or other similar entity, whether or not it is a legal person, and the raising and collecting of funds or other money valuables for the purpose of establishing, managing or controlling such an entity; or
collections, payments, transfers, deposits or withdrawals made in cash or non-cash payment transactions, or any other act which tends to or directly causes the movement of money.
Arranging the purchase or sale of immovable property or an enterprise or part thereof.
In the cases provided for in the AML Law, the controller shall be obliged to carry out the identification of the client, in which the controller shall record the client's identification data and verify them from the identity card, if any, and record the type and number of the identity card, the state or authority issuing it, if any, and the period of its validity.
As part of the identification of the client, the controller is obliged to ascertain and record whether the client is a politically exposed person or a person against whom the Czech Republic applies international sanctions pursuant to the Act on the Implementation of International Sanctions.
The client shall provide the controller with the information necessary to carry out the identification, including the submission of relevant documents. For the purposes of the AML Act, the controller is authorised to make copies or extracts of the documents submitted and to process the information thus obtained to fulfil the purposes of the AML Act. The provision of personal data in these cases is a legal requirement. If the client does not provide the controller with his personal data, the controller will not be able to provide the client with the services to which the controller's obligations under the AML Act apply.
The processing is necessary for the exercise of the controller's rights (e.g. debt recovery).
Categories of recipients of personal data
Where processing is to be carried out for the controller by a third party (processor), the controller shall use only those processors which provide sufficient guarantees to implement appropriate technical and organisational measures to ensure that the processing complies with the requirements of the legislation and to safeguard the rights of the data subject.
The personal data of the client in the scope of name, surname and address of residence may be provided to entities providing accounting services and tax consultancy to the controller, for the purpose of issuing tax documents in connection with the billing of fees for legal services rendered and the fulfilment of the controller's tax obligations.
In the case of funds, securities or other assets received by the controller for administration, the personal data of the client in the scope of name, surname, date of birth and/or birth number will be provided to the bank or other person authorised under special legislation to receive deposits or to administer securities or other assets, which maintains a special account in which the controller is obliged to deposit such assets received for administration.
Depending on the nature of the legal service provided, personal data may be disclosed to public authorities (in particular courts and administrative authorities) to the extent necessary.
The client's personal data will also be disclosed to other recipients to the extent necessary and as instructed by the client.
Period for which personal data will be stored
The controller processes and stores personal data for the period of time necessary for the exercise of the rights and obligations arising from the respective contractual relationship and for the period of time for which the controller is obliged to store personal data under generally binding legal regulations.
The personal data contained in the client file and/or documentation shall be stored for the duration of the provision of legal services and shall be retained as part of the client file and documentation for a period of five years from the date of termination of the provision of legal services, unless otherwise provided for by law or by a specific statutory regulation to which the controller is bound.
The controller is obliged to keep the asset management contract, copies of documents submitted by the client, the power of attorney granted to him by the client, or other documents arising in connection with the administration of the client's assets for a period of ten years from the end of the administration.
In cases where the controller acts as an obliged person within the meaning of the AML Act, it shall keep the data and documents obtained in connection with the identification of the client and/or the control of the client under the AML Act for a period of 10 years from the execution of the transaction or the termination of the business relationship with the client, such period to commence on the first day of the calendar year following the year in which the last transaction known to the controller as an obliged person was executed.
The personal data will also be retained for the period necessary to settle the obligations and claims of the data subject and the controller.
Transfer of personal data to third countries
The controller does not intend to transfer the client's personal data to third countries or international organisations. Only in the event of a procedure under Article 34 of the Convention for the Protection of Human Rights and Fundamental Freedoms (filing an individual complaint against a violation of the rights granted by this Convention and the Protocols) may the personal data of the client be transferred to the European Court of Human Rights.
Method of processing and protection of personal data
The processing of personal data in paper form is carried out manually, the processing of personal data in electronic form is carried out by means of computer technology, all in compliance with the security principles for the management and processing of personal data. To this end, the controller has adopted technical and organisational measures to ensure the protection of personal data, in particular measures to prevent unauthorised or accidental access to, alteration, destruction or loss of personal data, unauthorised transmission, unauthorised processing and other misuse of personal data. All entities to which personal data may be disclosed shall respect the right of privacy of data subjects and shall comply with applicable data protection legislation.
Rights of the data subject
The data subject shall have the right to request from the controller access to, rectification or erasure of, or restriction of processing of, personal data concerning the data subject and to object to processing, as well as the right to data portability. The data subject shall also have the right to lodge a complaint with the supervisory authority.
The right of access to personal data means that the data subject has the right to obtain information from the controller as to whether the controller processes his or her personal data and, if so, which data are processed and how they are processed.
The data subject shall have the right to have inaccurate personal data concerning him or her rectified by the controller without undue delay at his or her request. The data subject shall have the right to have incomplete personal data completed at any time.
The right to erasure of personal data corresponds to the obligation of the controller to erase the personal data it processes about the data subject if certain conditions are met and the data subject so requests.
The data subject has the right to have the controller restrict the processing of his or her personal data in certain cases. The data subject shall have the right to object at any time to processing which is based on the legitimate interests of the controller, of a third party or is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
The right to data portability gives the data subject the possibility to obtain the personal data he or she has provided to the controller in a standard, machine-readable format. He or she may subsequently transmit these data to another controller or, where technically feasible, request that the controllers transmit them between themselves.
If the data subject is in any way dissatisfied with the processing of his or her personal data by the controller, he or she may lodge a complaint directly with the controller or contact the Data Protection Authority as supervisory authority.
More information on the rights of data subjects is available on the website of the Data Protection Authority (https://www.uoou.cz/6-prava-subjektu-udaj/d-27276).
The data subject may at any time contact the controller with any questions or requests through e-mail email@example.com, or in writing to the controller (Palác Archa, Na Poříčí 1047/26, Prague 1, Postal Code: 110 00).