1 June 2022
This webpage sets out the standards that apply to the processing of European Personal Data (as defined below) within Crefovi SELAS (‟Crefovi” and the ‟Standards”, respectively). Crefovi is a European law firm with offices in 2 countries around the world. The firm operates without internal boundaries and the international nature of the business means it is vital that personal data can be transferred within the firm.
Crefovi, through its board, has made a commitment to protect personal data that is processed within the firm. In particular, these Standards are designed to facilitate the transfer of European Personal Data (as such term is defined below) within Crefovi, in accordance with the General Data Protection Regulation (EU) 2016/679 (the ‟GDPR”).
‟Applicable law” means the law in the jurisdiction in which a Crefovi Entity is situated and any other law to which a Crefovi Entity is subject.
‟BCR agreement” means the agreement which commits all Crefovi Entities which process European Personal Data (as such term is defined below) to comply with the Standards.
‟Crefovi” and ‟the firm” means Crefovi SELAS, a firm which operates worldwide as a “société d’exercice libéral par actions simplifiée” organised under the laws of France with affiliated branch conducting the practice in the United Kingdom (the ‟UK”).
‟Crefovi Entity” means each of the limited companies and branches forming part of the firm.
‟Data Protection Authority” or ‟DPA” means the supervisory authority responsible for monitoring and enforcing compliance with data protection laws in a particular country.
‟DPIA” means data protection impact assessment as defined under article 35 of the GDPR.
‟EEA” means the European Economic Area.
‟EU Privacy Laws” means national laws in the EEA and the UK which implement the GDPR, the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (“Directive on privacy and electronic communications“) (and any legislation that amends or replaces it) and related European privacy legislation (including for the avoidance of doubt the UK data protection act 2018).
‟European Personal Data” means personal data of (i) staff, solicitors, partners, consultants, contractors and potential candidates for any of the above collected and processed in relation to recruitment and human resources administration; (ii) clients, prospective clients and alumni processed in relation to the provision of legal services and/or marketing and communications purposes; and (iii) suppliers, vendors, contractors and advisers processed in the context of the relationship between such entities and Crefovi (further information about which is set out in the Client and Third Party Data Privacy Notice), by any Crefovi Entity as a data controller which is subject to applicable EU Privacy Laws.
‟Local Law” means the laws and/or regulations of, or any other legal obligation imposed by, any country to which a Crefovi Entity is subject, other than applicable EU Privacy Laws.
‟Model Clauses” means the standard contractual clauses for the transfer of personal data to processors or controllers established in third countries which are published and approved by the European Commission from time to time.
‟Personal data” means information relating to an identified or identifiable natural person (‟Data subject”), an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. The term ‟Personal data” will also include any information relating to persons who are not natural persons where this is a requirement of applicable EU Privacy Laws.
‟Personnel” means Crefovi partners, solicitors and staff, both temporary and permanent.
‟Security breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, European Personal Data which is processed by a Crefovi Entity.
‟Special category data” means European Personal Data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships, offences, criminal convictions, health, sexual orientation or sex life, genetic and biometric data and any other category covered by applicable EU Privacy Law.
The terms ‟processing”, ‟data controller” and ‟processor” shall have the meanings given to them in the GDPR.
Crefovi currently operates in the following countries, with only the Paris office located in the EEA:
59 rue Legendre, 75017 Paris, France
19 Swallow House, Barrow Hill Estate, London, NW8 7BD, United Kingdom
The Standards apply to the processing of European Personal Data by Crefovi Entities located in the EEA and also in the UK.
The Standards also apply to any export of European Personal Data out of the EEA or the UK, by a Crefovi Entity and to the processing of such exported data by a Crefovi Entity (either in the capacity of a data controller or a data processor) located outside the EEA or the UK.
For the purposes of these Standards, it is acknowledged that:
a) the UK is considered a third country under the terms of the GDPR;
b) under the UK data protection act 2018, personal data may be exported from the UK to EEA member-states, and
c) under the UK data protection act 2018, Binding Corporate Rules provide appropriate safeguards for the transfer of personal data within a group of undertakings to countries outside the EEA.
Rules and principles
1. Data handling principles
When acting as a data controller, each Crefovi Entity, processing Personal data in accordance with the Client and third party data privacy notice (as applicable), will comply with the following principles:
1.1. European Personal Data will be processed transparently, fairly and lawfully: data subjects will have available to them, to the extent the relevant data subjects are not already aware of, or in receipt of, information as to the identity of the data controller(s), the purposes for which their Personal data may be used (subject to any permitted restrictions on the provision of such information, for example in connection with crime prevention, legal proceedings or taxation, or where prohibited by Applicable Law), the legal basis for processing and other relevant information as required by applicable EU Privacy Laws. Such information will include details of the rights available to data subjects under EU Privacy Laws.
1.2. European Personal Data will be collected for specified, explicit and legitimate business purposes and, unless otherwise permitted by applicable EU Privacy Laws, will not be further processed in any way that is incompatible with those purposes.
1.3. Special category data will be processed only where strictly necessary for the firm’s legitimate business purposes and in accordance with the requirements of applicable EU Privacy Laws.
1.4. Appropriate steps will be taken to ensure that European Personal Data collected and processed is adequate but not excessive, and that it is relevant, accurate and (where necessary) kept up to date. Appropriate steps will also be taken to correct or delete Personal data promptly where it is found to be inaccurate.
1.5. European Personal Data will not be retained for longer than is necessary for the purposes for which it is processed, and will be retained in accordance with the firm’s documented data retention policies (subject to regulatory requirements of applicable EU Privacy Laws).
2. Data security
2.1. Having regard to the state of the art and the cost of implementation, each Crefovi Entity will take appropriate technical and organisational measures to protect European Personal Data against accidental or unlawful destruction or accidental loss, alteration, damage, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. The measures will ensure a level of security appropriate to the risks represented by the processing and the nature of the European Personal Data to be protected, so that special category and other highly confidential information will receive enhanced protection. Such measures will include the following, where appropriate:
(c) confidentiality, integrity, availability and resilience of systems and services;
(d) backup and disaster recovery facilities, and
(e) processes to test, assess and evaluate the effectiveness of the security measures.
2.2. Each Crefovi Entity shall without delay notify the firm’s Global data privacy officer of any Security breach. The Global data privacy officer will keep appropriate records documenting the Security breach, any potential impact on data subjects and any remedial action taken. The Global data privacy officer shall ensure that notifications are made to relevant Data Protection Authorities and affected data subjects as may be required under EU Privacy Laws. The Global data privacy officer will share the records of security breaches concerning European Personal Data which is processed by a Crefovi Entity as a data controller in the EEA or in the UK, with the DPA in their country or jurisdiction, if requested by that DPA to do so.
2.3. Each Crefovi Entity will take steps to ensure the reliability of those Personnel who have access to or responsibility for European Personal Data, including processing European Personal Data in accordance with the firm’s instructions.
3. Working with data processors
3.1. When a Crefovi Entity engages the services of another Crefovi Entity as a data processor to process European Personal Data on its behalf, such data processor will comply with the relevant requirements of these Standards, and if necessary, the parties will put in place and comply with the terms of any additional agreements which may be required by applicable EU Privacy Laws.
3.2. When a Crefovi Entity engages the services of a data processor to process European Personal Data on its behalf and the data processor is a third party, the Crefovi Entity will select a data processor that provides appropriate assurances as to the level of security it will employ in respect of the European Personal Data to be processed. The Crefovi Entity will ensure that a contract is entered into with third party data processors, which addresses relevant requirements of applicable EU Privacy Laws.
3.3. Where the Crefovi Entity is established in the EEA or the UK, and engages a third party data processor established outside the EEA or the UK, to process European Personal Data on its behalf, the Crefovi Entity will either:
(a) ensure that a contract is in place with the data processor substantially in the form of, or incorporating the terms of, the Model Clauses for data processors (subject to any amendments that may be permitted by Applicable EU Privacy Laws); or
(b) ensure that other suitable protections are in place, in accordance with Applicable EU Privacy Laws, to safeguard the European Personal Data.
3.4. If a Crefovi Entity (acting as a data controller) transfers European Personal Data to a third party controller outside the firm, the Crefovi Entity will ensure that such transfers are carried out in accordance with the requirements of applicable EU Privacy Laws. Where required by applicable EU Privacy Laws, or where otherwise permitted by applicable EU Privacy Laws, and considered appropriate, the Crefovi Entity will put in place safeguards to protect the European Personal Data and the rights of individuals. Such safeguards may take the form of a contract, either in the form of the Model Clauses for controller to controller transfers, or in another form which will provide an adequate level of protection.
4. Staff training
4.1. Crefovi maintains a privacy and security awareness program focused on educating all Personnel, solicitors and paralegals about the firm’s privacy and security policies as well as privacy and security best practices.
4.2. A variety of communications channels are used to disseminate privacy and security awareness information. Best practices guides and privacy and security awareness tip sheets and initiatives are available on dedicated privacy and security intranet sites for all Personnel to access.
4.3. Each Crefovi Entity will also ensure that Personnel who have access to, or responsibility for, handling personal data are provided with appropriate guidance and training.
5. Conflict with applicable Local Laws
Where Local Laws requires a higher level of protection for European Personal Data, than is set out in these Standards, the provisions of the Local Law will take precedence.
6. Mutual assistance and cooperation with Data Protection Authorities
6.1. Each Crefovi Entity will comply with instructions issued by the DPA in their country or jurisdiction insofar as they relate to these Standards or to the processing of European Personal Data generally, and will take into consideration any advice given by the DPA as to the interpretation of these Standards.
6.2. Crefovi Entities will assist one another in responding to any enquiry or investigation by a DPA relating to these Standards.
6.3. Crefovi Entities will also assist one another in responding to an enquiry or complaint from a data subject relating to these Standards, or the processing of their European Personal Data.
7. Responsibility for compliance
7.1. All Crefovi Personnel are required to comply with these Standards and must indicate their acceptance of these Standards, in conjunction with the firm’s latest Acceptable Use of Communication Systems Policy, when they join the firm and thereafter, on an annual basis.
7.2. The firm has executed the BCR agreement. Crefovi France has been appointed by the firm as the Crefovi Entity with delegated EEA data protection responsibilities. Crefovi France shall take action to remedy any breach of the Standards, which it can enforce contractually through the BCR Agreement.
7.3. Crefovi France accepts responsibility for taking action to remedy acts and omissions of other Crefovi Entities outside the EEA or the UK, which breach these Standards and to pay compensation for any damages resulting from such a breach of the Standards by Crefovi Entities located outside the EEA or the UK. Consequently, any claims against Crefovi offices located outside the EEA or the UK should be brought against Crefovi France. Any claim against a Crefovi office located in the EEA or the UK should be brought against such Crefovi office.
8. Audit programme to verify compliance
Crefovi undertakes to put in place measures to assess and verify compliance with these Standards and applicable data protection legislation.
9.1. Crefovi’s Privacy Committee will keep these Standards under review, will ensure that they are updated regularly and will communicate relevant updates to Crefovi Entities without undue delay. The Privacy Committee will ensure that any changes in the firm’s structure are reflected in these Standards and that any new Crefovi Entities are required to accept and comply with the terms of these Standards.
9.2. The non-confidential provisions of these Standards (including the content of Appendix 1 (Data privacy complaints procedure)) will be published on the external Crefovi website. The full text of the Standards will be made available on request (subject to a confidentiality agreement) to any data subject who wishes to exercise the rights of redress described in the Data privacy complaints procedure at Appendix 1.
10. Rights of access, correction and objection (including marketing and profiling)
Each Crefovi Entity acknowledges that data subjects have the following rights as third party beneficiaries in relation to the Crefovi Entity in its capacity as a data controller of European Personal Data:
10.1. the right to receive information about the way in which their Personal data is processed by the relevant Crefovi Entity, in its capacity as a data controller of European Personal Data, including a copy of these Standards and the Data privacy complaints procedure;
10.2. the right to receive a copy of European Personal Data held about them (including the purpose and manner of processing) by the Crefovi Entity within the time scales and at the intervals specified in Applicable EU Privacy Law, subject to the payment of any fee which the Crefovi Entity is permitted to charge under applicable EU Privacy Laws, and subject to any right to refuse such request in whole or in part that may be available to the Crefovi Entity under applicable EU Privacy Laws;
10.3. the right to have their European Personal Data updated, corrected or completed, in particular because of the incomplete or inaccurate nature of the data, subject to the provisions of applicable EU Privacy Laws;
10.4. the right to have European Personal Data erased, subject to the provisions of applicable EU Privacy Laws;
10.5. the right to restrict processing of their European Personal Data, subject to the provisions of applicable EU Privacy Laws;
10.6. the right to receive the European Personal Data, which the Data subject has provided to a Crefovi Entity in its capacity as a data controller of European Personal Data, in a structured, commonly used and machine-readable format and to transmit such personal data to another data controller, subject to the provisions of applicable EU Privacy Laws;
10.7. where required by the provisions of applicable EU Privacy Laws, the right not to receive direct marketing material without having given prior consent and, in all cases, the right to object at any time to the processing of their personal data (including profiling) for direct marketing purposes;
10.8. the right to object at any time to the processing of their European Personal Data, subject to the provisions of applicable EU Privacy Laws, and
10.9. the right to object to decisions involving their European Personal Data being taken about them based solely on automated processing, including profiling, where such decisions assess their personal characteristics or behaviour and produce legal effects which concern or significantly affect them (except to the extent permitted by and subject to the safeguards contained in applicable EU Privacy Laws).
11. Breaches of these Standards
Crefovi acknowledges that data subjects shall be entitled to enforce the following rights against the firm in respect of European Personal Data as third party beneficiaries:
11.1. a right to obtain a copy of these Standards upon request (subject to any confidentiality undertaking reasonably requested by the firm or the Crefovi Entity dealing with the request);
11.2. a right to receive a response within a reasonable time and not later than 1 month after the request was made, to any queries concerning the processing of the data subject’s European Personal Data outside the EEA or the UK;
11.3. a right to make a complaint and obtain appropriate redress (including, where appropriate, compensation for damage suffered) as a result of a breach of these Standards by any Crefovi Entity (excluding any breaches of the provisions relating to Personnel training, Crefovi’s policies and privacy function, audit programme and updates to these Standards);
11.4. a right to make a complaint to a Data Protection Authority in the EEA or the UK, in the country of habitual residence or place of work of the data subject, or the location of the alleged infringement of these Standards, and
11.5. a right to seek an effective judicial remedy in the appropriate court in the EEA or the UK, which may be in the jurisdiction in which the relevant Crefovi Entity is established or in the data subject’s habitual place of residence.
12. Enforcement of a data subject’s rights
12.1. The process for exercising the rights described in Section 11 is set out in more detail in the Crefovi Data privacy complaints procedure at Appendix 1 to these Standards.
12.2. A data subject wishing to enforce their rights should contact the Global data privacy officer, in the first instance, but may also lodge a complaint with the Chair of the Privacy Committee located in Paris, or the DPA, or the courts in the territory in which the relevant Crefovi Entity is located.
12.3. Any data subject seeking to enforce their rights under these Standards will be required to produce evidence giving rise to a ‟prima facie” case showing that a breach has occurred.