Personal Data Protection Policy
KLF is a law firm and provides legal advice and assistance to its clients. It is regulated by the Athens Bar Association.
This policy sets out KLF’s commitment to ensuring that any personal data, including special category personal data, which KLF processes, is carried out in compliance with Data Protection Legislation. KLF processes the personal data of both EU and non-EU citizens but is committed to ensuring that all the personal data that it processes is done in accordance with Data Protection Legislation. KLF ensures that best data protection practices are imbedded in the culture of our staff and our organisation.
All references to ‘our’, ‘us’, or ‘we’, herein are deemed to refer to Koutalidis Law Firm.
The following information explain the way in which we process your personal information when you contact us or use any of our services.
The information is categorised. You may therefore easily choose among categories of data processing and see the relevant information.
What data do we collect
- Personal identification information such as name, employer, title, or position.
- Contact information including a physical address, email address or phone numbers.
- Financial information including credit/debit card numbers, bank account information, and other invoicing and payment related information.
- Identification and background information provided by you or collected as part of our business acceptance processes (e.g. KYC procedures).
- Profile Information & Technical information such as (a) your IP address from your visits to our website or (b) browser information, device type and settings, time zone settings, operating system and platform, etc. or (c) in relation to electronic communications or as a result of the request for the provision of any service to you or (d) information about your preferences in receiving newsletters, your communication preferences and information about how you use our website(s), including the services you viewed or searched for, page response times, download errors, length of visits and page interaction information (for more information please refer to our Cookies Policy).
- Information provided to us in the context of our employment relationship with you (e.g., if you are a potential applicant) or another relationship related to the provision of services.
- Any other personal information provided to us by or on behalf of our clients or generated by us in the course or providing services to them, which may include special category data.
- Any information relating to you, you may provide us with, or we collect when you contact or interact with us.
- Any information provided to us from others in the context of providing legal services.
If or when you provide information to us about any person other than yourself, you must ensure that they have been made aware of how their personal data will be used, and that they have given their consent for you to disclose it to us and for you to allow us to use it.
How do we collect your data
The personal data that we collect is any information that is, directly or indirectly, relating to an identified or identifiable individual.
This information is gathered through various channels directly or indirectly, such as:
- When we provide any services to you – for example when you request any services from us (e.g., contacting via e-mail or telephone, visiting our website, subscription to our newsletter, job application etc.).
- When you have asked us for information.
- When your data is included in, legal advice we are asked to provide to that third party.
- When you make any request or provide any information relevant to your request.
- When you represent a natural or legal person.
- When you voluntary provide personal information to us – for example for the completion of a survey.
- From other companies, organisations and / or authorities (e.g. in the exercise of our duties your data is communicated to us by regulators or law enforcement bodies).
- When your information is contained in documents submitted to us by other controllers or processors in the context of the provision of our services or otherwise.
- When monitoring our Website.
- We may also collect personal information that are publicly available (such as business registries, social media etc.).
How do we use your data (purpose of processing)
We use your personal information mainly for reasons such as:
- To provide to you with the information or services you have requested.
- For the performance of contractual obligations or their preparation.
- To conduct business and provide legal advice and services.
- To administer and monitor our relationship (e.g. business acceptance, conflict checks, accounting, auditing purposes, confirm legal representation of our counter parties).
- To respond to your inquiries and fulfil requests (e.g. when you send us questions, complaints, etc.).
- For internal and / or external customer administration and business purposes.
- To respond to requests relevant to the processing of your personal data.
- To fulfil our business legal and regulatory requirements (e.g. exercise or defend legal rights, protect the security of our communications and other systems and to prevent and detect security threats, frauds or other criminal or malicious activities).
- To process employment applications and for recruitment purposes.
- To accomplish business purposes (e.g. for data analysis to improve our services, for audits, for fraud and monitoring purposes, to meet legal and regulatory obligations etc.).
- To provide access to features of our Website and monitor its use, fulfil registration requests, send/receive newsletters, publications, legal updates or other material from us (if you have provided the relevant consent), provide you information about our services or news about the Law Firm, etc.
- When participating in anonymous aggregated statistics, or when collecting feedback on our services and practice, or when we participate in legal directories and other publications or in order to measure our performance and to improve and promote our services.
We request that you do not provide and do not disclose to us any Special Categories personal data, unless it is absolutely necessary.
The services are not directed to individuals under the age of eighteen (18), and we do not knowingly collect personal information from individuals under 18. We may process personal information of minors, provided that consent is given or authorised by the holder of parental responsibility over the minor or it is required in the context of offering a service to our clients or receiving a service from one of our providers.
Use of personal data (lawful basis)
Further to the aforementioned, we use your personal information in the following ways.
A) Based on our contractual relationship:
- to provide to you with the information or services you have requested;
- to respond to your inquiries and fulfil requests (e.g. when you send us questions, complaints, etc.);
- to communicate with you;
- in order to register you as clients, to provide and administer legal services, or to process invoicing, payments and other monetary transactions;
- to conduct business and provide legal advice and services;
- to administer and monitor our relationship;
- process employment applications and for recruitment purposes;
- for internal and / or external customer administration and business purposes, etc.
B) Based on our legal obligations:
- to respond to requests relevant to the processing of your personal data;
- to exercise or defend legal rights, protect the security of our communications and other systems and to prevent and detect security threats, frauds or other criminal or malicious activities;
- for fulfilling our business legal and regulatory requirements, etc.
C) Based on our legitimate interest:
- for accomplishing business purposes;
- for data analysis to improve our services;
- for audits;
- for fraud and monitoring purposes;
- to meet legal and regulatory obligations etc.
D) Based on your consent:
- to provide access to specific features of our Website;
- to fulfil registration requests;
- to provide newsletters, publications, legal updates or other material from us;
- to provide you information about our services or news about KLF, etc.
Please also see above, Section “How we use your data”.
Storage and retention of personal data
KLF securely stores the personal data on our secure servers within the European Union (EU).
Your personal information is retained for the applicable period of time, depending on the purpose(s) for which they have been obtained and according to the applicable legislation. For the determination of the retention period certain criteria are being followed, such as: (a) if there is an ongoing relationship between us or (b) a legal obligation to which we are subject or (c) any retention period required by the law or (d) provision of consent etc.
KLF shall retain the personal data, if there are any pending or upcoming dispute before the court or any other legal proceedings, until these proceedings are finally concluded, regardless of how.
The personal information shall not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods as long as the personal data will be processed solely for archiving purposes following the requirements of the law.
Disclosure and Transfer of personal data
As a principle, the personal data that we collect shall not be transferred to and / or stored at third countries outside the European Economic Union (“EEA”).
However, in certain cases -for example due to legal obligations (such as requests from authorities), or in order to perform a Service, or in order to handle your request- your personal data shall be transferred to third countries. In such cases all the legislative requirements will be followed to ensure the security of your personal information.
We may disclose your personal data to:
- third parties, including service providers that we retain in the course of the legal services we provide, such as foreign legal advisors, for obtaining foreign legal advice, translators, court bailiffs, couriers, mediators, financial & technical experts, and other necessary servicers,
- courts, law enforcement and other public authorities, government officials or attorneys or other parties, where it is reasonably necessary for the establishment, exercise or defense of a legal claim, or for the provision of our legal services, or for the purposes of alternative dispute resolution process or upon request,
- third parties who provide services to us, such as information technology services, services of carrying out research and analysis – however it should be noted that these third parties are not allowed to use this information or to share it for any purpose other than to provide services to us,
- third parties when participating in aggregated statistics about your use of our Website,
- third parties for the purposes of collecting feedback on our services and practice, when we participate in legal directories and other publications or in order to measure our performance and to improve and promote our services.
Your data may also be communicated to the processors with which KLF cooperates to support its systems or to provide its services. The processors may not further process your personal data unless we have explicitly instructed them to do so, nor to transfer your personal data to third parties.
Data Subject Rights
KLF has processes in place to ensure that it can facilitate any request made by an individual to exercise their rights under data protection law. All staff have received training and are aware of the rights of data subjects. Staff can identify such a request and know who to send it to.
All requests will be responded without undue delay and within one (1) month of receipt to the extent possible – following the verification of the requestor (if required). KLF will notify in writing on the satisfaction or the reasons that prevent the satisfaction of a request within the deadline. The deadline, following a relevant notice, may be extended by two (2) more months if KLF receives a large number of requests simultaneously or due to the complexity of the request. The requested information will be provided at no cost, unless the requests from a data subject are manifestly unfounded, excessive or repetitive. In such case we may charge with a reasonable fee or refuse to act on the request.
Subject access: the right to request information about how personal data is being processed, including whether personal data is being processed and the right to be allowed access to that data and to be provided with a copy of that data along with the right to obtain the following information:
- the purpose of the processing;
- the categories of personal data;
- the recipients to whom data have been disclosed or which will be disclosed;
- the retention period;
- the right to lodge a complaint with the Hellenic Data Protection Authority;
- the source of the information if not collected directly from the subject; and
- the existence of any automated decision making.
Rectification: the right to allow a data subject to rectify inaccurate personal data concerning them.
Erasure: the right to have data erased and to have confirmation of erasure, but only where:
- the data is no longer necessary in relation to the purpose for which it was collected, or
- where consent is withdrawn, or
- where there is no legal basis for the processing, or
- there is a legal obligation to delete data.
Restriction of processing: the right to ask for certain processing to be restricted in the following circumstances:
- if the accuracy of the personal data is being contested, or
- if our processing is unlawful but the data subject does not want it erased, or
- if the data is no longer needed for the purpose of the processing but it is required by the data subject for the establishment, exercise or defense of legal claims, or
- if the data subject has objected to the processing, pending verification of that objection.
Data portability: the right to receive a copy of personal data which has been provided by the data subject and which is processed by automated means in a format which will allow the individual to transfer the data to another data controller. This would only apply if KLF was processing the data using consent or on the basis of a contract.
Object to processing: the right to object to the processing of personal data relying on the legitimate interests processing condition unless KLF can demonstrate compelling legitimate grounds for the processing which override the interests of the data subject or for the establishment, exercise or defense of legal claims.
Right to report to Supervisory Authority: should you be not satisfied from the provision of our response following the exercise of your rights in regard to your personal data or if you remain dissatisfied with the way we process your personal data, you have the right to report to the Hellenic Data Protection Authority (“HDPA”) at the following:
Hellenic Data Protection Authority Offices: 1-3 Kifissias, 115 23 Athens, Greece
Call Centre: +30-210 6475600 / Fax: +30-210 6475628
Website: https://www.dpa.gr / E-mail: firstname.lastname@example.org
KLF will facilitate any request from a data subject who wishes to exercise their rights under data protection law as appropriate, always communicating in a concise, transparent, intelligible and easily accessible form and without undue delay.
Special Categories of personal data
The Special Categories of data include the following personal data revealing:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person;
- an individual’s health;
- a natural person’s sex life or sexual orientation;
- criminal convictions or offences.
KLF processes special category data of clients and third parties as necessary in order to provide legal services for the establishment, exercise or defense of legal claims, provided that the conditions set out in Art. 9 of GDPR are met.
We request that you do not provide and do not disclose to us any Special Categories personal data, unless it is absolutely necessary.
We do not provide services directly to minors, nor do we collect proactively their personal data. However, we are sometimes provided with children’s data for the provision of services. In so far as they relate to these cases, the present information applies just as much to minors as to adults. This policy is written in simple language, so that a person at least 15 years of age can understand its main points.
Cookies / Log files
The purpose of storing this information is to check the security of the information and services of the Website, to ensure the possibility of investigating any online attacks and incidents and to support any relevant legal claims.
The legal basis for the above processing is Article 6 (1) (f) of the GDPR which allows us to process data when it is necessary for the purposes of the legitimate interests pursued by KLF.
The logs shall be kept for a period of 12 months and may be notified to the processing company for the purpose of managing the Website and to the competent authorities, if necessary, to investigate any online attack and incident. The information investigated or used in the context of legal claims shall be kept for the period required for those purposes.
KLF shall ensure that:
- Personal data is stored securely using modern software that is kept up to date.
- Access to personal data shall be limited to personnel who need access and appropriate security is in place to avoid unauthorised sharing of information.
- When personal data is deleted, this is done safely so that the data is irrecoverable.
- Appropriate back-up and disaster recovery solutions are in place.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, KLF shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Hellenic Data Protection Authority and / or the data subjects, as required by the Data Protection Legislation.
If you want to contact us with questions, requests or additional information regarding your personal data protection, and / or regarding the exercise of your rights, you can contact us at GDPR@koutalidis. To exercise any of the above rights, we advise you to ask copy of our “Data Subject Request Form” and submit it to us.
You can also contact us by post at the following address: 115 Kifissias Avenue, 115 24, Athens, Greece. Please make a note on the subject / envelope “To the attention of the Responsible Person for personal data”.
Monitoring and review
We keep this data protection policy under regular review to make sure it is up-to-date and accurate.