Luther S.A. – Privacy Policy

In accordance with the GDPR, you will find in the present privacy policy (the “Policy”) information on how we process the personal data collected from you or in relation to you and what claims and rights the data subjects whom personal data are processed by us are entitled to.

 

Definitions

For the purpose of the present Policy, the below terms shall have the following meaning:

  • data subjectmeans an identified or identifiable natural person.A natural person is identifiable when he/she can be identified either directly or indirectly, for example, through the use of an identifier, such as an identification number.
  • “personal data” is any information relating to a data subject, whether it relates to his or her private, professional or public life. Personal data therefore covers a lot of information and can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites or a computer’s IP address.
  •  “data procession” or “processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • special categories of personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation or data relating to criminal convictions and offences.

 

Data controller and contact details

Within the frame of our engagement we shall qualify as data controller pursuant to the GDPR which means that in such context we determine the purposes and means of the processing of personal data.

In accordance with article 13 1. a) of the GDPR, our details are as follows:

Luther S.A.
1B Heienhaff, L-1736 Senningerberg
Tel. +352 27 48 41
Fax +352 27484 690
E-Mail: luxembourg@luther-lawfirm.com

 

Categories of personal data we process and data subjects concerned

1. Categories of personal data processed

The categories of personal data we may process within the frame of our engagement include the following:

Category of personal data

Information on the personal data processed (indicative and not exhaustive)

Identification data

name, title, professional title or position, address, e-mail address, telephone number/mobile phone number, ID card/passport, signature, marital status

Beneficial ownership details

information on prominent public position (of a political, judicial, military or administrative nature) held (e.g. Membership in charities, trade unions, political parties), CV or resume, nature  and extend of beneficial interest held, information on the geographic and economic source of revenues, press articles

Engagement data

e-mails, information contained on data rooms on which access has been granted to us within the frame of our engagement (such as contracts, registers, policies…) or provided otherwise in any form to us within the frame of and/or in relation to our engagement

Financial data

billing address, bill, bank account details, bank statements, tax information

HR details

information on salary, pension and benefits, CV and resume, diploma, education and appraisals, tax status

Marketing preferences

information on the subscription to our marketing communications, our invitations to events or to opt-out from our marketing emailing

Procedural data

procedural file, criminal records, court decisions or orders

 

2. Categories of data subjects

The categories of data subjects we may process within the frame of our engagement include the following:

Category of data subjects

Details on the data subjects concerned (indicative and not exhaustive)

Categories of data which we may process

Client

the natural person involved or in case of legal persons, their legal representatives, staff, officers, committee members or other persons acting on their behalf

Identification data, beneficial ownership details, financial data, HR details, engagement data, marketing preferences

Persons having an actual or potential interest in the client or its subsidiaries or entities affiliated thereto (e.g. shareholders, investors, bond holders, bare owner/usufruct holder, members of co-ownership…)

Subsidiaries and affiliated entities

Targets

Beneficial owners

the beneficial owner of the client and his/her family

Identification data, beneficial ownership details, financial data

Prospects, advisors of the client, adverse parties, commercial partners, public authorities and administration

  • prospects interested in our services and in case of legal persons, their legal representatives, staff, officers, committee members
  • lawyers, notaries, bailiffs, auditors, bankers, domiciliary agents, advisors, service providers, suppliers involved in any part of our engagement or related thereto or with whom we have established a business relationship, being natural persons, or in case of legal persons, their legal representatives, staff, officers, committee members or other persons acting on their behalf
  • the personnel of public authorities, courts, institutions, administrations, governmental corporations involved in our engagement or related thereto
  • counterparties and adverse parties being natural persons or in case of legal persons, their legal representatives, staff, officers, committee members
  • potential purchasers

Identification data, financial data, marketing preferences

Our services are neither aimed at nor intended for children. However, we may process children’s personal data for certain type of services or to comply with our legal obligations in connection with the provision of our services (e.g. within the frame of our anti-money laundering obligations). When you provide us with such personal data we will consider that the consent of the holders of parental responsibility over the children concerned has been obtained.


Sources of the personal data that we process

We collect personal data from the following sources:

  • yourself as client;
  • the data subjects concerned;
  • lawyers, notaries, bailiffs, auditors, banks, advisors, service providers, management company, suppliers involved in any part of our engagement or related thereto being natural persons or in case of legal persons, their legal representatives, staff, officers, committee members;
  • counterparties and adverse parties being natural persons or in case of legal persons, their legal representatives, staff, officers, committee members;
  • publicly accessible legal sources (e.g. trade and companies registers, companies houses, corporate registrar or similar, beneficial owner or trust registers, sanction lists, social media, press articles, the Internet…).

When you provide us with personal data of data subjects, you remain responsible for such transfer and should ensure in advance that you are entitled to do so, in particular when such personal data qualify as sensitive data for which the prior consent of the data subject is required for their transfer, and shall make this Policy available to the relevant data subjects.

Please ensure that you only provide us with personal data that we ask for and refrain from providing us with documents, communications and information which would not be relevant for the intended purpose.

 

Purposes and legal bases of the data processing

We process personal data for the following purposes:

1. Performance of a contract or pre-contractual measures (art. 6 1. (b) GDPR)

Personal data made available to us for the preparation of a contract or its execution is processed for the following purposes:

  • providing our services;
  • establishing, executing and, if necessary, terminating our contract(s);
  • opening matters, keeping our accounting records up-to-date, invoicing our services and cash collection.

 

2. Compliance with a legal obligation to which we are subject (art. 6 1. (c) GDPR)

We will process personal data for the purpose of ensuring compliance with our legal obligations (and in particular within the frame of the fight against money laundering and the financing of terrorism, tax control or to comply with our obligation to have our accounts audited) and the professional rules set by the Luxembourg Bar Association.

Furthermore, the disclosure of personal data within the framework of official/judicial measures may become necessary for the purposes of taking evidence, prosecution or the enforcement of civil law claims.

Within the frame of our anti-money laundering obligations we will conduct Know Your Customer checks and may, in this context, process special categories data, in order, among others, to determine whether your beneficial owner(s) is a / are politically exposed person(s).

 

3. Legitimate interest (art. 6 1. (f) GDPR)

We may process personal data, where required to protect our legitimate interests or those of third parties, provided that the interests or fundamental rights and freedoms of the data subject(s) concerned do not conflict with this. Legitimate interests may include our economic interests, our legal interests, and our interest in complying with and ensuring compliance or IT security.

For example, the following cases may constitute legitimate interests:

  • recovery of receivables;
  • enhancing the quality of our services and communications;
  • our marketing activities and communications;
  • enforcement of legal claims and defence in legal disputes;
  • EDP/IT security;
  • registration and ranking on legal directories;
  • reorganise ourselves including through mergers, acquisitions or transfers of whole or parts of our business;
  • audit.

 

4. Consent (art. 6 1. (a) GDPR)

If we have not already established a business relationship, we will use, with your consent, your personal data for marketing purposes, such as the transmission of our newsletter or invitations to events that may be of interest to you.

 

5. Consequences in case of failure to provide personal data requested

Where we need to collect personal for any of the purposes mentioned above at section 5 and you fail to provide us with the personal data we request, we may, depending on the nature of the personal data requested, not be able to perform the contract we have or are trying to enter into with you or may not be able to render certain services only. In this case, we may have to decline to provide the relevant services and will notify you accordingly.

 

Recipients of the personal data we process

Our employees are primarily entitled to receive knowledge of your personal data.

Luther S.A. is part of the same network as Luther Rechtsanwaltsgesellschaft mbH, Anna-Schneider-Steig 22, 50678 Cologne, Germany (“Luther Germany”) and is assisted by Luther Germany as data processor for certain tasks such as conflict checks or EDP/IT security so that the personal data we collect may be shared with Luther Germany for these purposes.

Personal data may be shared with third parties for the purposes mentioned above at section 5 or if the data subject concerned has given his/her consent.

Recipients of the personal data collected by us may be in particular:

  • Luther Germany and the members of our international professional network;
  • service providers, auditors, advisors, external consultants or other persons acting on our behalf;
  • lawyers, notaries, bailiffs, auditors, banks, advisors, service providers, suppliers being natural persons with whom we have been requested by the client to share personal data with or with whom we need to share personal data for the purpose of our services and/or to fulfil our legal obligations in relation to our engagement;
  • public authorities, courts, institutions, administrations, governmental corporations, when necessary within the frame of our services or for the purpose thereof or when we are legally obliged to do so;
  • counterparties and adverse parties, when necessary within the frame of our services or for the purpose thereof or when we are legally obliged to do so;
  • payment service providers and banks to collect outstanding payments from accounts or pay refunds;
  • agencies, printing companies, event planners or other services providers that support us in the implementation of marketing measures and the holding of events;
  • IT and cloud services providers, who, among other things, store data, support the administration and maintenance of the systems as well as file archivists and shredders;
  • logistics service providers to deliver documents;
  • service providers in the context of the examination of conflicts of interest, money laundering examination, etc.;
  • collection companies and legal advisors in the context of asserting our claims;
  • phone and network operators.

 

Transfer to Third Countries

We may transfer personal data to countries outside the EU or the EEA only in the following cases:

  • if such countries are granted an adequacy decision by the European Commission;
  • if such countries have not been granted an adequacy decision by the European Commission:
  • if appropriate safeguards are provided in accordance with article 46 of the GDPR; or
  • for the performance of the contract we have with the data subject or the implementation of pre-contractual measures taken at the data subject’s request; or
  • if necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person; or
  • if necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims (including for example to comply with the laws applicable to us, a governmental or a court’s injunction made to us); or
  • with the data subject’s explicit consent.

 

Duration of storage of the personal data

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements or for the establishment, exercise or defence of legal claims.

Personal data collected for the purpose of complying with our legal or regulatory obligations will be retained on the basis of their relevant statutory limitation periods.

When personal data are processed on the basis of the data subject’s consent, such processing will continue the until revocation of data subject’s consent, or - if we use personal data for marketing purposes - until the data subject’s objection or if we receive delivery failure messages.

Statutory limitation periods are, as of this date, as follows for the below documents:

 

Duration

Nature of the documents

Starting point

30/10 years

accounting documents and documents relating to direct or indirect taxes

after the end of the accounting period to which they relate

documents relating to our business relationship

after the end of such relationship

5 years

documents collected for the purpose of ensuring compliance with our anti-money laundering obligations

after the end of our relationship

 

If the personal data are no longer required for the fulfilment of contractual or statutory obligations and rights, they are regularly deleted, unless their - limited - further processing is necessary to fulfil the purposes listed under section 5. In these cases, even after termination of our business relationship or our pre-contractual legal relationship, we may store and, if necessary, use the personal data for a period compatible with the purposes.

 

Automated individual decision-making, including profiling

We do not use automated decision making in accordance with article 22 of the GDPR.

 

Data Protection Rights

Under certain conditions, data subjects may exercise the following rights:

  • Right of access: data subjects are entitled to request confirmation from us at any time within the scope of article 15 of the GDPR as to whether we are processing personal data relating to them; if this is the case, data subjects are also entitled under 15 of the GDPR to access such personal data and obtain information on the purposes of the processing, categories of personal data processed, categories of recipients, duration of storage, sources of the personal data, the use of automated decision-making and, in case of transfers to third countries, the appropriate safeguards provided).
  • Right to rectification: according to article 16 of the GDPR, data subjects are entitled to demand correction of the personal data we hold about them if inaccurate or incorrect. 
  • Right to erasure: data subjects are entitled, under the conditions of article 17 of the GDPR, to request from us the deletion of personal data relating to them without delay. There is, among others, no right of deletion if the processing of personal data is necessary for (i) the exercise of the right to freedom of expression and information, (ii) the fulfilment of a legal obligation to which we are subject (e.g. statutory retention obligations) or (iii) the assertion, exercise or defence of legal claims.
    • Right to restriction of processing: under the conditions of article 18 of the GDPR data subjects are entitled to request from us the limitation of the processing of their personal data.
    • Right to data portability: data subjects are entitled, under the conditions of article 20 of the GDPR, to request from us the provision of the personal data relating to them that you have submitted to us in a structured, current and machine-readable format.
    • Right to object: data subjects are entitled to object to the processing of their personal data under the conditions and within the limits of article 21 of the GDPR. Our interests may however prevent, in certain circumstances, the processing from being terminated despite any objection.
    • Right to withdraw consent: In the circumstances where data subjects may have provided their consent to the processing and transfer of their personal data for a specific purpose they have the right to withdraw their consent for that specific processing at any time. To withdraw their consent, data subjects need to contact us. Once we have received notification that a data subject has withdrawn his/her consent, we will no longer process the related personal data for the purpose or purposes originally agreed to, unless we have another legitimate basis for doing so.
    • Right of appeal to a supervisory authority: data subjects have the right to make a complaint to the Commission Nationale pour la Protection des Données (“CNPD”) which is the Luxembourg supervisory authority for data protection issues. We would, however, appreciate the chance to discuss with them about their concerns before they reach out to the CNPD so please do not hesitate to contact us.

 

The details of the CNPD are the following:

Commission nationale pour la protection des données
15, Boulevard du Jazz
L-4370 Belvaux
Phone: (+352) 26 10 60 -1

For any question or further information on data subject’s rights, please contact us at: luxembourg@luther-lawfirm.com.

We may need to request specific information from data subjects to help us confirm their identity and ensure their right to access their personal data (or to exercise any of their other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact the relevant data subjects to ask them further information in relation to their request to speed up our response.

 

Rights under the Market Abuse Regulation

If you qualify as issuer of financial instruments under the regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC Text with EEA relevance (the “Market Abuse Regulation”) we may, under certain circumstances, be considered as a permanent insider (as this term is defined in MAR) and you are as such entitled to access our insider list (as defined in article 18 of the Market Abuse Regulation) concerning the inside information we received from you.

 

Changes to this Policy

This Policy is as of 25 January 2022 and we reserve the right to make changes to the latter.