1 June 2022
Crefovi SELAS (‟Crefovi” or ‟the firm”) is committed to collecting, maintaining and using personal information about our clients and business contacts responsibly. The provisions of data protection laws in the European Union (the ‟EU”), the United Kingdom (the ‟UK”) and elsewhere, impose strict conditions on the firm. Crefovi has made a commitment through our Binding Corporate Rules (‟BCRs”) to apply a consistent standard across the firm when collecting, using and managing personal information. You can find out more about our BCRs below. See Section 5 (International transfers).
This privacy notice explains how we may collect, use and disclose information about clients and other business and firm contacts, and describes the rights you may have in respect of your own personal information. Please read it carefully.
1. Who we are
Crefovi operates worldwide as a ‟société d’exercice libéral par actions simplifiée” organised under the laws of France, with affiliated branch conducting the practice in the UK.
Contact details for our offices around Europe can be found on our website crefovi.com. The data controller(s) in respect of your personal information, will be the Crefovi’s entity, or entities, with which you are dealing and/or Crefovi SELAS.
2. Who does this privacy notice apply to?
This notice applies to the individual client contacts with whom we deal, including prospective clients. It applies to personal information that is collected as part of our client on-boarding process and disengagement, as well as to the information gathered during the course of a client relationship.
It also applies to the personal information of employees, at client entities and businesses, and related contacts whose details we may receive as part of the provision of legal services. In these circumstances, our main client contact is responsible for ensuring that all affected individuals are made aware that their personal details will be provided to us, and of the purposes for which we will use that information, for example by showing them a copy of this notice.
2.2. Business contacts
In addition, this notice covers the personal information of individuals who are not existing or former clients, but who engage with the firm by signing up to receive communications, such as email alerts and publications, or who attend events run by the firm (either alone or in conjunction with partner organisations), whether online or in person.
2.3. Other firm contacts
This notice also covers the personal information of individuals that the firm has a business arrangement with, such as vendors, agents and adverse parties.
3. What information is covered?
In this privacy notice, ‟personal information” means any information (whether electronic or written) relating to an individual, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
It also includes special categories of personal information (‟special category data”) from which we can determine or infer an individual’s racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, membership of a trade union, physical or mental health or condition (including biometric and genetic data), sexual life/orientation, or judicial data (including information concerning the commission, or alleged commission, of a criminal offence and any sentence or penalty imposed).
Crefovi will only collect special category data if it is necessary for one of the purposes described below. Further information about when and why we may need to do this is set out in Section 4 (The information we collect and how we use it).
4. The information we collect and how we use it
Crefovi may use your personal information for a variety of purposes, as outlined in the following sections. The firm is committed to collecting and using only the personal information that is necessary for the provision of legal services to our clients; to establish and/or maintain its business relationship with business and/or firm contacts; to respond to your requests and inquiries, and to make individuals aware of, and keep them informed of, opportunities, services and events which it reasonably considers may be of interest to them and/or which they have otherwise confirmed their preferences to receive from our firm. In the past 12 months, Crefovi has collected the following categories of personal information:
- identifiers (e.g., name, contact information, and identification numbers);
- biometric information (e.g., photographs);
- commercial information;
- professional or employment related information;
- publicly available social media and news reports;
- characteristics of protected classifications (e.g., nationality, political affiliation, citizenship status), and
- audio and video recordings (e.g., CCTV recording, online meetings and webinars).
Appendix 1 provides more detail about the purposes, the information we may collect, the source of the information, and the legal authority relied upon by the firm.
In some cases, it will be mandatory for you to provide personal information to the firm, to enable us to provide services to you (or your employer), engage with you or to comply with the firm’s legal obligations.
4.1. Identity, conflicts, anti-money laundering and other checks
The firm collects a variety of information about clients and client contacts, as part of our new client on-boarding process. This may be referred to as due diligence or ‟Know Your Client”. The checks may include some or all of the following:
- Identify verification: proof of name and address;
- Ultimate beneficial ownership of corporate and other legal entities;
- Conflict checks: to avoid a conflict of interest with any other client;
- Anti-money laundering, proceeds of crime and terrorist financing checks;
- Politically exposed persons checks: those with prominent roles in government, judiciary, courts, central banks, embassies, armed forces and state-owned enterprises, including their family members and close associates, and
- Government sanctions list checks.
These checks are made for legal, regulatory or business reasons and may need to be repeated during the course of our engagement. It is important that you provide us with all necessary information and documents, or this may affect our ability to provide services.
If we hold funds for you in our client account, we may be required to provide information on your identity to the bank(s) which administer the account.
We may use third party sources to obtain some of this information. Details can be found in Appendix 1.
4.2. Providing legal services
Crefovi may collect or generate additional details about you during the course of our engagement, for the purpose of providing legal services. As part of this, we may collect information about employees of client organisations, for example when advising on a business sale, relocation programme or share scheme. In addition, we may collect information to build up a client profile, which could include information regarding pitches, fees, events attended and business development endeavours, as well as publicly available social media and news report, so we can track and understand the client relationship better. We may also collect information about parties and other individuals involved in an arbitration, when a member of the firm acts as an arbitrator.
We may also use your personal information:
- to administer our relationship and maintain contractual relations;
- for accounting and tax purposes;
- for marketing and business development;
- to comply with the firm’s regulatory obligations;
- to establish, exercise or defend legal rights;
- for the prevention and detection of crime, and
- for historical and statistical purposes.
4.3. Other business interactions
As part of your business or other commercial dealings with the firm, we may collect or generate details about you. We may use this personal information to administer our relationship and maintain contractual relations, for the provision of legal services to our clients, for accounting and tax purposes, and to comply with our regulatory obligations.
4.4. Information collected at our premises
If you visit our premises, your image may be captured on CCTV systems operated by the firm or the entity which manages our premises. Building access control systems may also capture the location, time and date of your entry and exit to our offices. Where required by local law or regulation, we may also collect health screening information (including temperature) or other wellness data necessary to facilitate the safe functioning of our offices.
Where permitted by applicable law, Crefovi may record and/or monitor telephone calls made and received and electronic communications sent to, or received by, the firm’s networks in order to protect our business and verify compliance with our policies and relevant legal requirements. Any such recording and/or monitoring will be carried out for lawful business purposes, and in accordance with applicable laws and regulations. This may include the following purposes:
- recording facts (including converting voice messages into text);
- establishing compliance with the firm’s policies and procedures;
- complying with applicable laws and regulations;
- for crime prevention and detection, and
- to monitor the effective use and operation of the firm’s networks and systems.
If you participate in a zoom, microsoft team, skype or similar online meeting, event, web conference, or videoconference, the contents of the call or meeting (video and audio) may be recorded either by Crefovi or by our service provider. Recordings retained by the firm may be used for the firm’s legitimate business purposes. Please note that recordings may be discoverable in a relevant legal matter.
In order to communicate efficiently, correspondence and documents may be sent by unencrypted email. You will be aware that this is not guaranteed as a secure method of communication, nor are there any service standards for delivery. If you would prefer us not to use unencrypted email, please speak to your contact at the firm.
4.6. Marketing and business development
The firm collects information for marketing and business development purposes and as part of the general administration of client relationships. We may use some personal information for client entertainment purposes, including recording your interests and preferences.
We may pass your contact details to legal directories so they can contact you to provide a reference for the firm. We will let you know when we do this and you will have an opportunity to tell us if you do not want to be contacted in this way.
We will also use your personal details to send you information by email or post, or using social media or social networking sites, about our services, developments in law and practice, brochures, press releases, invitations to seminars and talks. You can select the practice areas and subjects you are interested in, when you sign up on our website. You may update your preferences, or opt out at any time. For more information on how to exercise your rights, see Section 10 (Your rights) below.
If you attend an event that is run by, or in association with, our law firm (whether online or in person), we will collect contact details as part of event registration. This information may include dietary requirements and details of any health issues or disabilities which may impact upon your attendance at or participation in the event. We may also request a delivery address (which may be your home address) for the purpose of sending a gift or other item to those attending the event.
Where an event is run in association with a partner organisation or hosted at an external venue, we may need to share your personal details with the partner, event organiser or venue. This will be made clear to you before you sign up for the event. Only the minimum information will be shared, as necessary for the purposes of running the event.
If the event is run in association with a partner organisation, they will be responsible for informing you about any marketing they may wish to undertake and obtaining your consent, where necessary.
If the event is run online, we may make a video and/or audio recording. You will be informed about this prior to the event so that you can choose whether or not to attend a recorded session, or whether to withhold your personal details during the event.
5. International transfers
Crefovi is a European firm operating on a global basis. Like most international businesses, Crefovi has centralised certain aspects of its client administration and records management, in France and the UK. In addition, where client projects span more than one jurisdiction, information will need to be accessed by all those, within the firm, who are working on the matter. As a result, your personal information may be transferred outside the country of origin (which includes transfers outside the European Economic Area (‟EEA”) and the UK) and may be accessed across the firm, on a global basis.
Crefovi takes all necessary security and legal precautions to ensure the safety and integrity of personal information that is transferred within the firm. Crefovi has implemented BCRs which allow for global transfers within the firm, of personal information originating in the EEA and the UK, in accordance with applicable EU and UK privacy laws. The BCRs require all Crefovi entities and offices, worldwide, to use the same standards of protection for personal information. Your personal information will therefore be given the same level of protection, regardless of its location, within the firm.
You can access the firm’s BCRs here.
Your personal information will also be accessed by Crefovi’s service providers, which may be located in the United States and other jurisdictions. For more information, see Section 7 (Service providers) below.
The firm may disclose your personal information (i) where this is necessary for the purposes described in Appendix 1, including within the firm itself; (ii) if required by applicable law; (iii) in connection with a reorganisation or combination of our firm with another firm; (iv) if we believe that such disclosure is necessary, to enforce or apply terms of engagement and other agreements, or otherwise protect and defend Crefovi’s rights, property or safety; (v) in order to comply with a judicial proceeding, court order or other legal obligation, or a regulatory or government inquiry, or (vi) with your consent.
We would like to draw particular attention to the fact that, in some jurisdictions, Crefovi has a legal obligation to report suspicious transactions and other activity, to relevant regulatory authorities, under anti-money laundering, terrorist financing, insider dealing or related legislation. The firm may also report suspected criminal activity to the police and other law enforcement bodies. We may not be permitted to inform you about this, in advance of the disclosure, or at all.
Third party recipients of personal information relating to clients, business and firm contacts may include:
- tax and customs and excise authorities;
- regulatory, financial and other professional bodies;
- stock exchange and listing authorities;
- public registries of company directors and shareholdings;
- public health authorities;
- providers of identity verification services;
- credit reference agencies;
- the courts, police and law enforcement agencies;
- government departments and agencies, and
- auditors and professional advisers (including professional indemnity insurers and advisers).
Crefovi will use all reasonable efforts to disclose the minimum personal information necessary in each case.
We have in the last 12 months disclosed for a business purpose the categories of personal information listed in Appendix 1.
7. Service providers
Third parties providing services to Crefovi are referred to as ‟Vendors”. Crefovi will put in place contracts with Vendors, which address the requirements of relevant privacy laws. Vendors will be required to use appropriate security measures, to protect personal information, and will be prohibited from using personal information other than as instructed by the firm.
Vendors who process personal information on behalf of the firm, may be located in the United States, the EU, the UK, or other countries around the world. Crefovi will ensure that Vendors comply with any applicable legal requirements, for transferring personal information outside the jurisdiction in which it was originally collected. If data is transferred outside the EEA or the UK, to a country that has not granted ‟adequate” status by the European Commission, Crefovi will require Vendors to execute the Standard Contractual Clauses, for the transfer of personal information to third countries, as sanctioned under applicable EU and UK privacy laws.
If you would like more information about the Vendors we work with, please contact the Global data privacy officer.
8. Keeping your information up to date
Crefovi makes every effort to maintain the accuracy and completeness of the personal information held by the firm. To support us ensure we have the most up to date information about you, it is important that you inform us of any updates to your contact details or other personal information. Please contact your client relationship partner, or the person you usually deal with, at the firm. You can also contact Crefovi’s Global data privacy officer.
The firm will retain personal information only for as long as it is needed, for the purposes described in Section 4 (The information we collect and how we use it) above. Note that retention periods may vary, in different jurisdictions.
The retention period for client files is detailed in our client care and legal mission agreements.
We may need to retain information for significant periods of time, in order to establish, exercise or defend our legal rights, and for archiving and historical purposes. Where possible and practical, personal information will be rendered anonymous through the removal, substitution or blocking of details which enable individuals to be identified.
10. Your rights
In certain circumstances, subject to certain exceptions and applicable law, you may have the following rights in relation to personal information about you:
- the right to know (i) the specific pieces of personal information collected; (ii) the categories of personal information; (iii) the categories of sources of the personal information; (iv) the business or commercial purpose for collecting the personal information; (v) the categories of personal information disclosed for a business purpose; and (vi) the categories of third parties with whom the personal information is shared;
- the right to have your personal information corrected, for example if it is incomplete or incorrect;
- the right to opt out of receiving marketing communications, at any time;
- the right to request that your personal information is deleted;
- the right to restrict, or object to, the processing of your personal information;
- the right to receive a copy of the personal information which you have provided to the firm, in a structured, commonly used and machine-readable format (known as ‟data portability”);
- where you have provided personal information voluntarily, or otherwise consented to its use, the right to withdraw your consent;
- the right not to be discriminated against if you exercise any rights conferred on you by the California consumer privacy act of 2018, and
- the right to complain to a Data Protection Authority (see further below).
If you have an online account, you may access, update and correct your personal information – including your marketing choices – using the account management facilities. You may also opt out of receiving marketing and market research communications at any time by contacting us at .
Crefovi does not, and will not, sell your personal information as defined under the California consumer privacy act of 2018.
If you have a query about this statement, or wish to exercise your rights, please contact Crefovi’s Global data privacy officer. California residents may also call our phone number +44 (0)20 3318 9603. You may also appoint an agent to submit a request on your behalf.
Once we receive your request, our Global data privacy officer will contact you or your agent within the timeframe specified by applicable law, to confirm receipt of your request and, if needed, to gather more information about your request. Depending on the nature of the request, additional information may be requested. You or your authorised agent may need to provide the following:
- Proof of identity and address (e.g. a copy of your valid passport or driving licence);
- If you are acting as an authorised agent, express notarised permission from the individual on whose behalf you are acting;
- A description of the right(s) you want to exercise, and the information to which your request relates.
Please note, we may not be obligated to provide access to personal information, or delete any data, to the extent that we cannot verify that the person making the request is the person about whom we collect information, or is someone authorised to act on that person’s behalf. Any personal information we collect from you, to verify your identity, in connection with your request, will be used solely for the purposes of verification.
You also have the right to complain to a Data Protection Authority if you believe that your personal information has been collected, or used, in breach of relevant privacy legislation or Crefovi’s BCRs. If you are located in the EU, this will be the Data Protection Authority in the country in which you are located. Alternatively, you may contact the ‟Commission nationale de l’informatique et des libertés” (‟CNIL”), 3 Place de Fontenoy – TSA 80715 – 75334 Paris Cedex 07, France. Further information and contact details can be found on https://www.cnil.fr.
Further information about making a complaint, either to Crefovi or to a Data Protection Authority, can be found in Crefovi’s Data privacy complaints procedure.