We, NautaDutilh, may process information about you ('personal data'), when you browse our website or social media pages, use our apps, visit our firm, show interest in or may be interested in our firm or in our services, are an alumni or apply for a position within our firm. We may also collect and use your personal data, when you or your company become(s) our customer or supplier, or when we provide services to you or our clients in general.
We will process your personal data in a lawful and fair manner and in accordance with the EU (and where applicable also the UK) General Data Protection Regulation ('GDPR'). This policy explains how we process and protect your personal data and provides you with more information on your rights as a data subject.
Please be informed that we appointed a Data Protection Officer for our offices in Amsterdam, Rotterdam, London and New York. You can also reach out to our DPO for any questions or concerns with regard to the processing of your personal data by sending an e-mail to email@example.com
1. Information about us
We have offices in Amsterdam, Brussels, London, Luxembourg, New York and Rotterdam. The office(s) providing services to you / your company is/are the controller(s) with regard to your personal data within the meaning of the GDPR. However, our offices will all qualify as joint controllers with regard to the processing of your personal data through our website (including cookies), apps and social media pages and for general marketing, business development and recruitment activities. Whenever we are joint controllers, we are jointly responsible for the way your personal data is handled and you can exercise your rights in respect of and against each office. Please find more information about our offices on our website under 'Legal information'.
2. What personal data do we process about you?
We may collect and process certain personal data about you as described in more detail below, if:
- you interact with us through our website or social media pages;
- you use our apps;
- you visit our firm;
- you show interest in or may be interested in our firm or in our services;
- you are an alumni;
- you apply for a position within our firm;
- you or your company become(s) our customer or supplier; or
- we provide services to you or our clients in general.
The personal data we process may include:
- Your name, gender, (job) title, and the company you work for;
- Your contact details, such as your (business) e-mail address, department, company/home address and your (business) phone number;
- Your date of birth, place of birth and nationality;
- Information from trade registers and other public/private sources;
- Relevant background information, such as your skills, your professional and/or educational background, your relationship to our client or supplier etc.;
- Your national identification number (but only to the extent required or authorised by law);
- Your payment details, if necessary for invoicing or payment purposes;
- Information related to your visit to our website, such as the type of your device, your IP address and the user-agent;
- Information on the use of our apps (e.g., your e-mail address, moment of downloading and login, app version and platform used);
- Correspondence with you or containing information about you;
- Your reviews with regard to our services;
- Information about your interactions with and visits to our firm;
- Video call recordings by means of online communication and collaboration platforms (we might also process your name and photo for this purpose);
- Information about your attendance of our events, training courses and/or conferences;
- The services you are or may be interested in and if and when you opened our marketing e-mails;
- Your resume, cover letter, information about your application procedure and the results thereof, and any other information relevant for the position you apply for, which may also include an assessment and/or pre-employment screening;
- Personal data that we need for compliance with our legal obligations (such as client identification data as part of our customer due diligence obligations);
- Personal data we receive or collect in the course of the provision of your services/goods, which may contain financial information (including invoices and VAT-numbers) and information with regard to your services/goods;
- Personal data we receive or collect in the course of the provision of our services, which may contain information on legal issues, disputes, convictions, sanctions and fines. It may also include the name and contact details of other people related to you, such as your professional advisors, business contacts and/or family members;
- It may sometimes also include special categories of personal data. However, we kindly request that you do not send us sensitive personal data about you or others, if this is not necessary for the provision of our services.
3. Why do we process your personal data?
We may process your personal data for the following purposes:
- To provide our services to you, your company or our clients in general (including training courses), and to handle requests, enquiries or complaints received ("Provision of Services");
- To handle your subscription to any of our recruitment services or events, handle your job application and assess your eligibility to work with us ("Recruitment");
- To manage our relationship with our suppliers and business partners (including a due diligence procedure) ("Procurement");
- To comply with regulatory and policy requirements ("Compliance");
- To identify services you may be interested in and to communicate with you about our services (e.g. via our newsletters or events) and to build or maintain a professional relationship ("Marketing and Relationship Management");
- To maintain, develop and improve our website, apps and social media pages, in particular by generating statistics regarding their use ("Internet Analytics");
- To protect our offices, business, property, people, visitors, network, website, apps and databases and to prevent, detect and combat any misuse or fraudulent/criminal behavior ("Security");
- To monitor, analyse and/or improve our services, business processes and systems ("Business Development and Continuity");
- To exercise our rights by establishing, exercising or defending a legal claim or in order to defend ourselves or our staff against a legal claim from third parties (including disputes, complaints, questions and/or investigations) ("Legal/Dispute Resolution").
4. Why may we collect and process your personal data?
We base the processing of your personal data for the above-mentioned purposes on the following legal bases:
- Provision of Services: If we provide the services directly to you, the processing of your personal data for this purpose is necessary for the performance of our contract with you. If we provide the services to your company or our clients in general, the processing of your personal data is in our legitimate interests to conduct business. For the provision of services, we might also need your personal data to comply with our legal obligations. With regard to our notarial services, the processing of your personal data may also be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in our notaries. If you choose not to give us your personal data for this purpose, we might not be able to provide our services to you or your company.
- Recruitment: We process your personal data based on your consent, our legitimate interests to recruit integer and qualified professionals, or as necessary in the context of the intention to enter into a contract with you.
- Procurement: If we procure goods or services directly from you, the processing of your personal data for this purpose is necessary for the performance of our contract with you. If we procure the goods or services from your company, the processing of your personal data is in our legitimate interests. For the procurement of goods and services, we might also need your personal data to comply with our legal obligations. If you do not provide us with your personal data for this purpose, we might decide not to engage you or your company.
- Compliance: The processing of your personal data is necessary for compliance with our legal obligations. This may include record keeping, compliance with statutory retention periods and reporting your personal data to official authorities for compliance with fiscal, anti-money laundering or other legal obligations. If you choose not to give us your personal data for this purpose, we might not be able to continue our contractual relationship with you or your company.
- Marketing and Relationship Management: if we do not ask for your consent, we base these activities on our legitimate interests. If you do not want to receive our marketing e-mail messages, you can refuse to give us your consent or you can click on the unsubscribe link at the bottom of each e-mail sent. If you refuse/withdraw your consent or opt-out of these communications, you will suffer no consequences other than no longer receiving them.
- Internet Analytics: if we do not ask for your consent, we base these activities on our legitimate interests. If you refuse/withdraw your consent or opt-out, you will suffer no consequences.
- Security: we use your personal data for this purpose to prevent, detect and combat fraudulent or criminal activity. We have a legitimate interest in protecting our offices, business, property, people, visitors, network, website, apps and databases and in preventing, detecting and combating misuse or fraudulent/criminal behavior in this regard.
- Business Development and Continuity: we have a legitimate interest in processing your personal data to maintain a healthy and prosperous business.
- Legal/Dispute Resolution: it is in our legitimate interest to be able to exercise our rights and to defend ourselves and our staff against legal claims.
5. Where do we get your personal data from and with whom do we share it?
We may receive your personal data from and share your personal data with the following third parties (among others):
- You or your representative
- Your company / your colleagues
- Persons authorised by us to process your personal data, who have committed themselves to confidentiality or are subject to an appropriate legal obligation of confidentiality
- The chamber of commerce
- The land registry
- Commercial databases
- Event organisers
- Recruitment agencies
- Universities and educational institutions
- Judicial bodies, courts and tribunals
- Public authorities, governmental organisations and law enforcement agencies
- Supervisory authorities
- Financial institutions, such as banks and insurance companies
- Public websites and databases (only a source of information)
- (Potential) clients and/or their representatives
- Our clients' counterparties and/or their representatives
- Immigration authorities (work and/or residence permits)
- Consultancy firms, accountancy firms, auditors
- ICT service providers
- Other suppliers, business partners and service providers
- Other NautaDutilh group companies
Please note that we may also process your personal data for transactions concerning our firm (e.g. transfer of industry, merger and takeover). Your personal data may be passed on to third parties involved in these transactions, such as lawyers, accountants and other advisers.
If your personal data is transferred to entities outside the European Economic Area, which do not benefit from an adequacy decision from the European Commission (such as our New York office and various international clients and business partners), we will implement necessary and appropriate safeguards before passing on your personal data (e.g. EC Standard Contractual Clauses). These transfers may also be based on the fact that they are necessary for the establishment, exercise or defense of legal claims or on your consent.
Please be informed that third parties receiving your personal data are themselves responsible for compliance with privacy legislation, if they act as independent controllers (e.g. clients, banks, insurance companies, accountancy firms, public authorities etc.). We are neither responsible nor liable for the processing of your personal data by these third parties.
If we transfer your data to third parties, acting as our processors or as joint controllers, we will enter into a data processing agreement or a joint controller agreement with these parties, as required by the GDPR.
6. How long do we keep your personal data?
We will keep your personal data no longer than necessary to achieve the purposes for which your personal data is collected and processed. Your personal data will be kept in accordance with our retention policy, which also takes into account statutory retention periods.
This policy is available upon request to firstname.lastname@example.org
7. How do we protect your personal data?
We are committed to protect your personal data against accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access. To this end, we have implemented appropriate technical and organisational measures, which are described in our information security policy. The latest version of our information security policy is available upon request to email@example.com.
8. What are cookies and what type of cookies do we use?
Cookies are small text files with information. They are installed on your device when you visit a website. Some cookies are technically necessary for the proper operation of a website. This means that some activities within a website cannot be performed without the use of these cookies. These technical or session cookies do not require consent.
Functional cookies allow websites to remember your actions and preferences, which might be practical when you visit a websites again, or when you change pages within a website. These cookies do not require consent either.
There are also cookies, which can be used for analytics (e.g., on how you use a website) (analytics cookies), or which track your behavior over the internet in order to show you targeted ads (tracking or profiling cookies). These cookies usually require your consent. We do not use these types of cookies.
Third-Party cookies are cookies from websites or web servers other than the website you visit.
We use the following cookies, all of which are strictly necessary to ensure the proper functioning of our website:
The third parties setting cookies on our website act as independent controllers. Their privacy policies can be found as follows:
Third-Party Cookies in relation to the use of Social Media
If you are interested in one of our videos related to our services, our website links you to the YouTube website for viewing this video content and leaving any comments or likes.
In this case, third-party cookies may be installed on your device. YouTube is a Google service and Google acts as an independent controller with regard to these cookies. You can find more information about the privacy terms of Google/YouTube here.
If you would like to share our content on social media through the social media share buttons on our websites, cookies may be set by these parties as independent controllers as well.
This may also happen when you visit our social media pages on LinkedIn, Facebook, Twitter and Instagram. Please find their cookie policies here: Facebook, Twitter, LinkedIn and Instagram.
How to manage your cookie settings
Please be informed that you cannot only manage your cookie preferences by means of our cookie banner, but you can also block or delete cookies through your browser settings. Please find more information on this topic on the website(s) of the browser(s) you use:
9. Your rights as a data subject
Under the conditions provided for by the GDPR (and the UK GDPR for our office in London), you have the following rights with regard to our processing of your personal data (see Art. 12-23 GDPR):
- the right to access your personal data as well as to obtain information on the processing of your personal data;
- the right to rectify/correct the personal data we hold about you, if this information is incomplete or inaccurate;
- the right to request erasure of your personal data, if unnecessary or otherwise unlawfully processed;
- the right to restrict the processing of your personal data, if you believe this data is inaccurate, unnecessary or unlawfully processed or if you objected to the processing thereof;
- the right to object to the processing of your personal data, if we rely on our legitimate interest and you believe that we should not process your personal data based on grounds related to your particular situation;
- the right to data portability, which means that you may request that we transfer your personal data in a structured, commonly used and machine-readable format to you or to another controller. This applies to situations where you provided us with your personal data and the processing is carried out by automated means, based on your consent or the performance of our contract with you;
- the right to withdraw a given consent at any time, where the processing is based on your consent. This does, however, not affect the lawfulness of the processing activities before withdrawal;
- the right not to be subject to impactful decisions based solely on automated processing, including profiling; and
- the right to lodge a complaint with the competent supervisory authority, if you believe that we do not process your personal data in compliance with the applicable data protection legislation.
With reference to the right to rectification, we kindly request that you notify us as soon as possible of any changes to the personal data we hold about you, so that your personal data remains complete and accurate.
If you would like to exercise any of these rights or if you have a complaint about how we handle your personal data, please send an e-mail to firstname.lastname@example.org
For your protection and the protection of the persons, whose information we process in general, please allow us to verify your identity when you make a request (as also required by the GDPR).
Please be informed that our lawyers and notaries must adhere to their professional duty of confidentiality. Therefore, it might not always be possible to disclose the information requested.