Michalopoulou & Associates Law Firm (“Lawgroup”) takes her data protection and information security responsibilities very seriously. Lawgroup needs to gather and use certain information about individuals, including customers, suppliers, business contacts, employees and other entities for which Lawgroup has a relationship with or may need to contact.
The Policy also applies to the non-automated processing of such data, which are included or will be included in an archiving system. Although the individual case file is not considered an archiving system in itself, all of the case files handled and archived by Lawgroup fall within the meaning of the "filing system".
The Policy applies beyond "legal secrecy" and in parallel to it. The obligations of confidentiality deriving from the principle of security, as specified in Article 32 of the General Data Protection Regulation, are subject to the provisions of the Code of Conduct for Lawyers on confidentiality.
2. Policy Scope
This Policy applies to:
- The offices of Lawgroup
- All staff, lawyers, and associates of Lawgroup
- All contractors, freelancers, suppliers and other people working on behalf of Lawgroup
This Policy ensures that Lawgroup:
- Complies with data protection law and follows good practices
- Protects the rights of staff, customers, partners and associates
- Protects itself from the risks of a data breach
3. What personal data do we collect
This Policy applies to all data that Lawgroup holds relating to identified or identifiable natural persons, even if that information technically falls outside of the General Data Protection Regulation. This can include:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- Banking information
- Any other information relating to natural persons (e.g. job title)
In particular, Lawgroup in her capacity as Data Controller, processes personal data, if a case involves and includes natural persons or legal entities, if the relevant file contains almost unchanged details of legal representatives, persons involved in the administration, associates, etc. In cases where the client gives clear, detailed and specific instructions to Lawgroup to process personal data on behalf of the client, Lawgroup acts in her capacity as Data Processor, since Lawgroup processes personal data without having control over the purposes and the means of processing the relevant personal data.
4. What are our legal bases of processing of personal information
The basis for the processing of personal data relates to the legal bases of Articles 6 and 9 of the GDPR and dictate the process of personal data:
i) on the basis of subject’s consent (e.g. when a visitor of our website fills in their email address to subscribe to our newsletter or sends their Curriculum Vitae);
ii) on the basis of our legitimate interests to provide legal services (including legal representation) and advice to our clients;
iii) for the performance of contractual obligations;
iv) based on a legitimate interest in order to comply with obligations related to the operation of our business (e.g., record keeping, billing and tax compliance purposes) and
v) based on meeting our legal and regulatory obligations.
We process special categories of personal data only if it is absolutely necessary and based on your consent, in terms of the exercise or defense of legal claims, for employment and social security law related purposes, or finally for reasons of public interest.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the legislative provisions, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
6. Confidentiality & Security
Maintaining the security of your personal data is our priority. Appropriate security policies and rules apply to this, as well as technical and organizational measures regarding the protection of the confidentiality, integrity, accessibility, transparency of your personal data provided to us by unauthorized access, misuse, disclosure, unauthorized modification, unlawful destruction or accidental loss. Due to the fact that information systems are by nature not completely secure, therefore the overall security of your data can not be guaranteed. Likewise, no guarantee is provided, nor can we be held responsible for the security of data from other networks. All partners and those responsible for processing your data (i.e., those who process your personal data on behalf of Lawgroup) who process your personal data must respect this Policy.
7. Access policy
Access to the personal data files within Lawgroup is available to all associates - lawyers of the company, even those associates who are authorized for this purpose but are not covered by legal secrecy.
8. Your rights
You have the following rights in relation to your personal data we process:
- The right to withdraw consent
- The right to access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object to processing
- The right to lodge a complaint with the Personal Data Protection Authority
- Rights in relation to automated decision making and profiling, which may be exercised by contacting Lawgroup at the email address that you will find below.
9. Subject access requests
All individuals who are the subject of personal data held by Lawgroup are entitled to know:
- What information the company holds about them.
- The purposes for which the personal data is being processed.
- Who, if anyone, the personal data is disclosed to.
- The extent to which it is using the personal data for the purpose of making automated decisions relating to the data subject and, if so, what logic is being used for that purpose.
- Details of the origin of their data if it was not collected from them.
10. Subjects should be informed of
- how to gain access to their data
- how to keep it up to date
- how the law firm is meeting its data protection obligations
- how to limit the processing of their data
- how to oppose the processing of their data
If a natural person contacts Lawgroup requesting this information, this is called a subject access request.
Subject access requests from individuals should be made by email and addressed to Lawgroup at firstname.lastname@example.org.
Lawgroup will aim to provide the relevant data within one (1) month. This deadline can be extended to three (3) months if the request is complex. The individual making the request will be notified within one (1) month if the response will take up to three (3) months.
Lawgroup reserves the right to charge a reasonable fee if the subject access request is excessive and complicated.
Lawgroup will always verify the identity of anyone making a subject access request before handing over any information.
11. Disclosing data for other reasons
In certain circumstances, the GDPR allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, Lawgroup will disclose the requested data. However, Lawgroup will ensure the request is legitimate.
12. Conservation and deletion policy
Personal data shall be deleted/destroyed after a reasonable period of time from the assignment, especially when it is no longer necessary for the fulfillment of the purposes for which the order was collected (including for satisfying any legal, accounting, or reporting requirements). Especially, for site visitors, we will retain relevant personal information for at least three years from the date of your last interaction and in compliance with our obligations under the EU General Data Protection Regulation or for longer, if required by our regulatory or professional indemnity obligations. For the Service provision to any client, we will retain relevant personal information for at least seven years from the date of our last interaction and in compliance with our obligations under the EU General Data Protection Regulation or for longer, as required by our regulatory or professional indemnity obligations. We may then destroy such files without further notice or liability.
If the personal information is only useful for a short period e.g. for specific marketing campaigns, we may delete it.
In exceptional cases, the data should be kept for other legal purposes (e.g. tax audits).
13. Changes to this Policy
For more information, please contact Lawgroup using the details below, or visit our website.
T: 210 330 52 30 | F: 210 330 52 32
Michalopoulou & Associates Lawgroup, 40, Ag. Konstantinou st. | “Aithrio” Business Center (Α16-18)
15 124 Marousi | Athens | Greece