In accordance with the GDPR, you will find in the present privacy policy (the “Policy”) information on how we process the personal data collected from you or in relation to you and what claims and rights the data subjects whom personal data are processed by us are entitled to.
For the purpose of the present Policy, the below terms shall have the following meaning:
Within the frame of our engagement we shall qualify as data controller pursuant to the GDPR which means that in such context we determine the purposes and means of the processing of personal data.
In accordance with article 13 1. a) of the GDPR, our details are as follows:
Luther S.A.
1B Heienhaff, L-1736 Senningerberg
Tel. +352 27 48 41
Fax +352 27484 690
E-Mail: luxembourg@luther-lawfirm.com
1. Categories of personal data processed
The categories of personal data we may process within the frame of our engagement include the following:
Category of personal data | Information on the personal data processed (indicative and not exhaustive) |
Identification data | name, title, professional title or position, address, e-mail address, telephone number/mobile phone number, ID card/passport, signature, marital status |
Beneficial ownership details | information on prominent public position (of a political, judicial, military or administrative nature) held (e.g. Membership in charities, trade unions, political parties), CV or resume, nature and extend of beneficial interest held, information on the geographic and economic source of revenues, press articles |
Engagement data | e-mails, information contained on data rooms on which access has been granted to us within the frame of our engagement (such as contracts, registers, policies…) or provided otherwise in any form to us within the frame of and/or in relation to our engagement |
Financial data | billing address, bill, bank account details, bank statements, tax information |
HR details | information on salary, pension and benefits, CV and resume, diploma, education and appraisals, tax status |
Marketing preferences | information on the subscription to our marketing communications, our invitations to events or to opt-out from our marketing emailing |
Procedural data | procedural file, criminal records, court decisions or orders |
2. Categories of data subjects
The categories of data subjects we may process within the frame of our engagement include the following:
Category of data subjects | Details on the data subjects concerned (indicative and not exhaustive) | Categories of data which we may process |
Client | the natural person involved or in case of legal persons, their legal representatives, staff, officers, committee members or other persons acting on their behalf | Identification data, beneficial ownership details, financial data, HR details, engagement data, marketing preferences |
Persons having an actual or potential interest in the client or its subsidiaries or entities affiliated thereto (e.g. shareholders, investors, bond holders, bare owner/usufruct holder, members of co-ownership…) | ||
Subsidiaries and affiliated entities | ||
Targets | ||
Beneficial owners | the beneficial owner of the client and his/her family | Identification data, beneficial ownership details, financial data |
Prospects, advisors of the client, adverse parties, commercial partners, public authorities and administration |
| Identification data, financial data, marketing preferences |
Our services are neither aimed at nor intended for children. However, we may process children’s personal data for certain type of services or to comply with our legal obligations in connection with the provision of our services (e.g. within the frame of our anti-money laundering obligations). When you provide us with such personal data we will consider that the consent of the holders of parental responsibility over the children concerned has been obtained.
When you provide us with personal data of data subjects, you remain responsible for such transfer and should ensure in advance that you are entitled to do so, in particular when such personal data qualify as sensitive data for which the prior consent of the data subject is required for their transfer, and shall make this Policy available to the relevant data subjects.
Please ensure that you only provide us with personal data that we ask for and refrain from providing us with documents, communications and information which would not be relevant for the intended purpose.
We process personal data for the following purposes:
1. Performance of a contract or pre-contractual measures (art. 6 1. (b) GDPR)
Personal data made available to us for the preparation of a contract or its execution is processed for the following purposes:
2. Compliance with a legal obligation to which we are subject (art. 6 1. (c) GDPR)
We will process personal data for the purpose of ensuring compliance with our legal obligations (and in particular within the frame of the fight against money laundering and the financing of terrorism, tax control or to comply with our obligation to have our accounts audited) and the professional rules set by the Luxembourg Bar Association.
Furthermore, the disclosure of personal data within the framework of official/judicial measures may become necessary for the purposes of taking evidence, prosecution or the enforcement of civil law claims.
Within the frame of our anti-money laundering obligations we will conduct Know Your Customer checks and may, in this context, process special categories data, in order, among others, to determine whether your beneficial owner(s) is a / are politically exposed person(s).
3. Legitimate interest (art. 6 1. (f) GDPR)
We may process personal data, where required to protect our legitimate interests or those of third parties, provided that the interests or fundamental rights and freedoms of the data subject(s) concerned do not conflict with this. Legitimate interests may include our economic interests, our legal interests, and our interest in complying with and ensuring compliance or IT security.
For example, the following cases may constitute legitimate interests:
4. Consent (art. 6 1. (a) GDPR)
If we have not already established a business relationship, we will use, with your consent, your personal data for marketing purposes, such as the transmission of our newsletter or invitations to events that may be of interest to you.
5. Consequences in case of failure to provide personal data requested
Where we need to collect personal for any of the purposes mentioned above at section 5 and you fail to provide us with the personal data we request, we may, depending on the nature of the personal data requested, not be able to perform the contract we have or are trying to enter into with you or may not be able to render certain services only. In this case, we may have to decline to provide the relevant services and will notify you accordingly.
Our employees are primarily entitled to receive knowledge of your personal data.
Luther S.A. is part of the same network as Luther Rechtsanwaltsgesellschaft mbH, Anna-Schneider-Steig 22, 50678 Cologne, Germany (“Luther Germany”) and is assisted by Luther Germany as data processor for certain tasks such as conflict checks or EDP/IT security so that the personal data we collect may be shared with Luther Germany for these purposes.
Personal data may be shared with third parties for the purposes mentioned above at section 5 or if the data subject concerned has given his/her consent.
Recipients of the personal data collected by us may be in particular:
We may transfer personal data to countries outside the EU or the EEA only in the following cases:
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements or for the establishment, exercise or defence of legal claims.
Personal data collected for the purpose of complying with our legal or regulatory obligations will be retained on the basis of their relevant statutory limitation periods.
When personal data are processed on the basis of the data subject’s consent, such processing will continue the until revocation of data subject’s consent, or - if we use personal data for marketing purposes - until the data subject’s objection or if we receive delivery failure messages.
Statutory limitation periods are, as of this date, as follows for the below documents:
Duration | Nature of the documents | Starting point |
30/10 years | accounting documents and documents relating to direct or indirect taxes | after the end of the accounting period to which they relate |
documents relating to our business relationship | after the end of such relationship | |
5 years | documents collected for the purpose of ensuring compliance with our anti-money laundering obligations | after the end of our relationship |
If the personal data are no longer required for the fulfilment of contractual or statutory obligations and rights, they are regularly deleted, unless their - limited - further processing is necessary to fulfil the purposes listed under section 5. In these cases, even after termination of our business relationship or our pre-contractual legal relationship, we may store and, if necessary, use the personal data for a period compatible with the purposes.
We do not use automated decision making in accordance with article 22 of the GDPR.
Under certain conditions, data subjects may exercise the following rights:
The details of the CNPD are the following:
Commission nationale pour la protection des données
15, Boulevard du Jazz
L-4370 Belvaux
Phone: (+352) 26 10 60 -1
For any question or further information on data subject’s rights, please contact us at: luxembourg@luther-lawfirm.com.
We may need to request specific information from data subjects to help us confirm their identity and ensure their right to access their personal data (or to exercise any of their other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact the relevant data subjects to ask them further information in relation to their request to speed up our response.
If you qualify as issuer of financial instruments under the regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC Text with EEA relevance (the “Market Abuse Regulation”) we may, under certain circumstances, be considered as a permanent insider (as this term is defined in MAR) and you are as such entitled to access our insider list (as defined in article 18 of the Market Abuse Regulation) concerning the inside information we received from you.
This Policy is as of 25 January 2022 and we reserve the right to make changes to the latter.