Privacy and Cookie Statement
Contents
1. Who is responsible for the use of my data?
2. When I visit the website, which data do you use, for what purpose do you use this data, and how long do you store it?
3. What cookies do you use, for what purpose, and how long are they stored?
4. When I apply for a job or a recruitment event at De Brauw, which data do you use, for what purpose do you use this data, and how long do you store it?
5. When you provide legal services, which data do you use, for what purpose do you use this data, and how long do you store it?
6. When I provide goods or services to De Brauw, which data do you use, for what purpose do you use this data, and how long do you store it?
7. What data do you store in your CRM system and what happens with it?
8. When I visit De Brauw's offices, which data do you use, for what purpose do you use this data, and how long do you store it?
9. Do you use my data for other purposes?
10. How do you secure my data?
11. How do you share my data outside the EU?
12. What happens when you get an order to disclose personal data?
13. To whom can I address my questions and requests for inspection, correction and removal of my personal data, and what other rights do I have?
1. Who is responsible for the use of my data?
De Brauw is the controller when you visit our websites, when we handle job applications, when we provide legal services, when you provide us with goods or services, when we use contact data in our CRM system, and when you visit our offices. In certain exceptional cases – for example, in specific due diligence work – the client is the sole controller and De Brauw is the processor. For example, when you use our client portal Connect, for some applications the client may be the controller and De Brauw the processor. Where applicable, we will then conclude a data processing agreement. If we are the processor, and you contact us with a privacy-related question, we will refer you to the organisation that is the controller.
2. When I visit the website, which data do you use, for what purpose do you use this data, and how long do you store it?
Our website, www.debrauw.com, is used to provide general information about our firm. debrauw.com is hosted by Oberon Medialab B.V. For clients and local counsel, we also have dedicated websites and apps:
- Connect, our client collaboration platform
- ECC, our local counsel platform to help clients and us keep track of costs
- MCP, our platform to support coordination of matters
- Dawn Raids App, an app providing practical information during a dawn raid.
For all the websites, we collect the following usage data: your IP address, your browser, the pages you visit, when you visit those pages, and (where applicable) the previous/subsequent site you visit. Our Dawn Raids app does not collect any information from your device.
We use this data to:
- administer the sites
- generate usage statistics
- provide for (additional) functionality on the sites
- manage the sites by resolving any technical faults or improving accessibility to certain parts of the sites
- ensure the security of our IT systems.
We process this data on the basis of our interest to ensure that websites and apps remain functional and secure. We retain this data for 14 months, unless stated otherwise below.
Our client and local counsel websites mentioned above also allow you to create an account. If you create an account, we will collect your name, email address, password and, where applicable, your employer. We use this data to register you with our website and provide you with access to the website. We use your email address to restore your password and to send you updates about our service. We retain account data for as long as you have an account with us.
Depending on the website, we process additional data and the hosting arrangements differ:
- For Connect: For some users, we automatically add the organisation you work for. You can add more information to your profile, such as your CV and a picture. By doing so, if you are a Flexpooler, we know for what engagements we could contact you. We make this profile data also available to others on the platform. In addition to the usage data mentioned above, we also collect the access type (Download, View, Print). We retain usage data (including access type) for one year. The Connect platform is hosted by Thomson Reuters (Professional) UK Ltd. Personal data processed in Connect is stored in the United Kingdom (UK). The European Commission has considered the UK to provide an adequate level of protection under the GDPR.
- For ECC: We use your email address to remind you to submit fee updates. We retain this data for seven years after the data was submitted. Our ECC platform is hosted by Cegeka Nederland B.V.
- For MCP: We also store data relevant to a matter (including deadlines), as well as details on other parties and their representatives. We use this data to cooperate internally and with external legal counsel on matters. For MCP, we retain this data for as long as we retain the matter. MCP is hosted by Eraneos Netherlands B.V.
For all three client and local counsel websites, we process this data on the basis of our interest to perform our services as agreed with our client.
3. What cookies do you use, for what purpose, and how long are they stored?
When you visit debrauw.com, cookies are placed on your computer. De Brauw uses two types of cookies:
- Necessary cookies: De Brauw uses a cookie in order to offer the website’s basic functionality and to remember your cookie settings. This cookie is called _gat. It is stored for 24 months. If the _gat-cookie is used to throttle the request rate, then it is stored for one minute.
- Cookies for analytics: De Brauw uses cookies to generate anonymous user statistics to make our websites more user-friendly. We do this through Google Analytics, a web analysis service offered by Google Inc. (Google). Google uses aggregated statistical information to provide De Brauw with an understanding of how visitors are using our websites. To protect your privacy, we have configured Google Analytics to only store part of our visitors’ IP address and to not share data with others. Google may only provide this information to third parties if it has a statutory duty to do so or to the extent that the third parties are processing the information on Google’s behalf. We have signed a data processor agreement with Google. We use the following cookies for this purpose: _ga and _gid. These are stored for 24 months and 24 hours respectively.
When you visit Connect, we use the following cookies: (i) DWRSESSIONID and cfusi for security purposes, stored during the session; (ii) FK, dwp and rsu for authentication purposes, FK stored for one day, dwp and rsu stored for 100 days; and (iii) ROUTEID to improve performance, stored during the session.
When you visit ECC, we use the following cookies: (i) XASSESSIONID, (ii) xasid, (iii) SessionTimeZoneOffset, (iv) DeviceType and (v) Profile. These are intended for authentication, session management and functionality of the application. The first three cookies are stored for a duration of 1 year. The other cookies are stored during the session.
When you visit MCP, we use one cookie for authentication purposes, pod-s-s, stored for 10 hours.
4. When I apply for a job or a recruitment event at De Brauw, which data do you use, for what purpose do you use this data, and how long do you store it?
When you apply for a job or a recruitment event at De Brauw via www.debrauw.com, you will be forwarded to our job application platform, www.connexys.com, which is provided by Connexys B.V. as a processor. You will then be asked to provide certain personal information, and we will combine this with the date of the application. If you provide us with a link to your LinkedIn profile, we will also add the profile information to your application. You may also be asked to provide further information in follow-up correspondence with us. This data will be combined with internal notes and correspondence on your application.
If you are a student visiting our offices as part of an organised event, we may sometimes receive your personal details, such as your name, CV and contact details, from the organiser.
We use this data to:
- assess your suitability for a position or event
- safeguard our internal control and security
- comply with legal obligations
- handle requests for reimbursement of your expenses
- determine your employment terms.
- We process this data on the basis of our interest to ensure that we find suitable candidates for our vacancies, or – in the case of identity documents and certificates of conduct – because we have a legal obligation to do so.
For some job applications, we may ask The Selection Lab B.V. as processors to perform an assessment. We will provide some of the information that you submitted to us (including your name and your CV), to the assessment firm. We store the outcome of the assessment, together with the other data that you have provided to us, and retain this for the same periods as above.
If we are considering offering you a position, we may apply a screening procedure to check your background and suitability. Depending on the responsibilities of the position, we will use Validata Group B.V. and – for more sensitive positions – Hoffman Bedrijfsrecherche B.V. to perform the screening. For this, we may ask you to provide us with additional information, and we may also use publicly available information about you, such as your publicly available social media feeds. The data will be retained for a period of 90 days in Validata's systems, and for a period of one year in Hoffmann's systems.
If you have applied for a position at De Brauw and you have been hired, the data will be added to your employee file, hosted by AFAS Software B.V. (Profit), and retained for seven years after you leave De Brauw. If you have been accepted to one of our student events, the data will be stored for two years in our application tracking system Connexys (see above). If your application has been rejected, the data will be retained for a maximum of four weeks after our decision, unless you give us permission to use your personal data to inform you of any suitable vacancy or position in the near future. In that case, we will retain your data for one year. We will retain your name and the date and topic of the rejection in our internal document management system for two years after the rejection.
5. When you provide legal services, which data do you use, for what purpose do you use this data, and how long do you store it?
De Brauw provides legal services, such as in the context of investigations, litigation, corporate matters and notarial services. In the course of providing those services, we process personal data of different categories of people. These include clients, clients’ contact persons, witnesses, experts, counterparties, counterparties’ contact persons, counterparties’ lawyers and advisors, and persons whose personal data forms part of a file. In particular:
- When we assist in litigation and conduct investigations, we may search for relevant information in files provided by our clients or another party. We may use this information, including personal data, in documents we have drafted as part of our services. For litigation, this includes investigating and preparing court documents. For investigations, this includes reporting to a client on its compliance with applicable rules.
- When we are engaged as counsel in corporate matters, we may set up or review a data room, which may contain personal data – for example, about employees. Or we might be asked to provide advice on corporate governance, which often involves analysing documents containing personal data. Sometimes we incorporate that information in documents we have drafted, such as reports or contracts.
- We also offer notarial services, for example by providing legal advice, legalising documents, and preparing, handling, executing and storing notarial deeds.
- We also process some of the personal data mentioned above for internal knowhow purposes. For example, we store relevant files (after removing most personal data) and some of our interactions with others, such as representatives of supervisory authorities, attorneys and judges, in our internal knowhow repository, to retrieve this information at a later date.
We do this processing on the basis of our clients’ legitimate interest in establishing, exercising and defending their legal rights, on the basis of our own commercial interest to offer high quality professional services and we may also do this because we are legally obliged to.
We will also use the contact details (name, address, email address) of our client (or their contact person) to send invoices. We do this to enable us to collect fees for our services, as part of the performance of the agreement between us and our client.
Lastly, we store this data to allow for a possible audit by the Netherlands Bar Association or the Royal Dutch Association of Civil-law Notaries. We do this because we are legally obliged to.
We retain our files for 20 years after the matter is closed, unless we are required by law to retain the files for a longer period of no more than 30 years (for example, in certain environmental cases). After this period, we will offer to return original documents which were provided by the client, and we will securely destroy all files. For notarial files, the retention periods prescribed by law apply.
Prior to most engagements, we collect certain information to verify the identity of the client, in order to comply with anti-money laundering legislation and legislation governing Dutch legal professions. We are obliged to check the status of identity documents by sharing the document number with a dedicated service provider. If the document is registered as missing, stolen or declared invalid, De Brauw and the service provider may share this with the relevant authorities. De Brauw is obliged to report unusual transactions to the Financial Intelligence Unit (FIU-Nederland). In that case, De Brauw must also provide the information it collected. De Brauw retains this information for a period of five years after the termination of the relationship or the performance of the transaction, unless this information has become part of a matter, in which case it is retained as long as the file of the matter is retained.
Sometimes, we share information processed in the course of providing services, including with lawyers from other firms, other advisors to clients, and courts. But only if this is possible within the boundaries of the strict confidentiality imposed on lawyers and notaries. In some cases, this is because you have given us permission, and in other cases, this is because our clients have a legitimate interest in establishing, exercising or defending their legal rights.
When you digitally sign documents through Docusign in the context of our legal services, we collect your email address, IP address and an image of your signature, as well as the time and date on which you used the service. We store this information in the matter related to the document you signed, and use it to document the signing process. We do this because we have a legitimate interest in retaining evidence of the signing. This data is available to all parties on behalf of which this document is signed, who may be located outside of the European Union or the European Economic Area.
6. When I provide goods or services to De Brauw, which data do you use, for what purpose do you use this data, and how long do you store it?
When you or your employer does business with us, we will collect certain data about you. Often you provide us with this information (such as your name, email address and position) in the course of doing business with us. Part of it might be derived from the order documents: in particular, we register what services or goods are provided, as well as related payment details. And, sometimes, we will ask you or your employer for other information, such as a certificate of conduct. If you are a freelancer, we will also store the contract that we have with you.
We use this information to:
- process and handle incoming invoices
- book invoices on matters in order to bill these to clients
- create a balance sheet and an overview of profits and losses
- file tax returns
- create internal financial reports
- to arrange for an audit by an accountant.
The basis for the handling of invoices is the performance of our contract with you, or because we have a legitimate interest in performing the contract with your employer. The basis for booking the incoming invoices to clients is the interest in charging our clients for the services provided. The basis for creating a balance sheet and an overview of profits and losses, and to create internal reports on finances, is because we are legally obliged to do so and because we have an interest in administering our finances. The filing of tax claims and the performing of an audit by an accountant is done because we are legally obliged to do so.
We retain invoices we receive and the contracts with suppliers, including contact details of suppliers, for a minimum of seven years.
7. What data do you store in your CRM system and what happens with it?
De Brauw uses a company-wide system to keep track of its contacts. For most persons, we store the name, email address, phone number, job title and work history (e.g., what organisation did someone work for previously, or is now working for). We sometimes also store additional information about someone, such as the industry they work in, gender, mailing language, areas of interest, home address, birthday, a spouse/partner’s name, hobbies, and other personal notes. We also keep track of the mailings we send to this person. For our alumni, we also note when someone has left the firm. If, in the past, you have been a client of De Brauw, were subscribed to our newsletters, or have worked with De Brauw, your records are probably in this system.
We use this data to:
- address you personally and ensure that persons within the firm communicating with you know your relevant personal details
- get a better overview of your network, the company you work for and its market(s)
- send you newsletters, updates about our firm and invitations to our events.
For the last purpose, we share your name, email address and areas of interest with Advanced Computer Software Group Ltd., who are our emailing provider for these kinds of communications. If you are not yet a subscriber, you can subscribe by sending an email to info@debrauw.com. You can always unsubscribe from receiving newsletters or change your preferences by sending an email to the same address.
We use your data on the basis of our interest in building and maintaining our network of personal contacts, with the exception of the sending newsletters, which we will only do with your consent.
We archive your data if it has not changed in 36 months and you have not received a mailing via our CRM system during this period.
8. When I visit De Brauw's offices, which data do you use, for what purpose do you use this data, and how long do you store it?
When you visit De Brauw's offices in Amsterdam and use one of our parking spaces, you will get a temporary exit pass from Reception. Reception will register the ID of the exit pass, together with your name and number plate, in a system provided by Spacewell International N.V. (Spacewell).
When you use a parking space at our office in Brussels, we provide your name to the firm handling the security for the building, Securitas. We do not store this data ourselves. We use this data because we have a legitimate interest to ensure you can use our parking spaces.
When you are visible to security cameras on or outside the premises of our Amsterdam office, your footage is stored for 14 days. The firm handling our security, Securitas Beveiliging B.V., also has remote access to our cameras. In our Brussels office, Securitas, operates a number of cameras at the entrance, common space and parking spaces. In London, the building owner, 125 Old Broad Street, operates cameras at the entrance to the building. We are under circumstances able to gain access to the footage collected by them. We are furthermore happy to put you in touch with Securitas and 125 Old Broad Street for further information.
We use the footage collected via camerasto:
- handle disputes
- protect the safety and health of one or more natural persons
- secure access to the office building
- guard the office
- monitor incidents.
For all these purposes, we process this data on the basis of our legitimate interest to do so.
We may share footage with governmental authorities, such as the police, if legally required to do so.
When you have a meeting at our offices, we will register your name, organisation, email address, date and time of entry and exit, date and time of the meeting, as well as your contact person at De Brauw. We store this data in a system provided by Spacewell. We use this data because we have a legitimate interest to plan and schedule meetings, to register which persons are at De Brauw for which meeting/contact person and to safeguard internal control and security. We retain personal data for three months after your visit.
9. Do you use my data for other purposes?
De Brauw may also process some of the personal data described above to:
- comply with a legal obligation
- to investigate, establish, exercise or defend against legal claims
- prepare for and give effect to a sale, merger or other transaction involving De Brauw's assets.
For the first purpose, our legal basis can be found in the obligation to comply with legal obligations. For the other purposes, our processing for this purpose is based on our legitimate interest to do so.
10. How do you secure my data?
De Brauw takes office-wide security measures as part of its information security framework. Technical measures include the use of access controls, firewalls, network segmentation, virus scanners, traffic monitoring, penetration tests, and encryption of laptops, phones and USB sticks. Organisational measures include a clear screen policy, confidentiality provisions, screening of personnel, privacy and security training and awareness, and implementing controls in contracts with suppliers. De Brauw is ISO 27001-certified, which demonstrates that it has implemented its information security measures according to internationally acknowledged standards. De Brauw has a Chief Information Security Officer responsible for the development and implementation of the information security policy.
11. How do you share data outside the EU?
In addition to its headquarters in Amsterdam, De Brauw has offices in Brussels, London, Shanghai, and Singapore. De Brauw has concluded standard contractual arrangements for the international transfer of data with its offices in Shanghai and Singapore (known as controller-to-controller standard contractual clauses, which can be found here. In circumstances where De Brauw transfers personal data to other parties, in those countries outside of the EU/EEA without an adequacy decision, transfer is usually necessary for the establishment, exercise or defence of legal claims. Otherwise, De Brauw will ensure that it provides appropriate safeguards for this transfer in accordance with the GDPR. You can contact dpo@debrauw.com for more information about these safeguards.
12. What happens when you receive an order to disclose personal data?
While this is unlikely, we may be required to disclose personal data by a court order or to comply with other legal or regulatory requirements. We will do everything we reasonably can to notify the persons involved before we disclose this data, unless we are legally restricted from doing so.
13. To whom can I address my questions and requests for inspection, correction and removal of my personal data, and what other rights do I have?
You are entitled at any time to request inspection, correction, removal or restriction of the processing of your personal data by De Brauw. In addition, in some cases you have the right to receive your data in a structured format (i.e., data portability). Please send your request, as well as other privacy-related questions you might have, to our Data Protection Officer at dpo@debrauw.com. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).