Privacy policy.

Given the nature of our activities, we may process personal data relating to:

• our current and former clients, prospects, and their representatives, directors, employees, agents, beneficial owners, shareholders, co-investors and advisers;
• counterparties and adverse parties, and their representatives and advisers;
• notaries, bailiffs, judges, civil servants and representatives of administrative, tax, judicial or regulatory authorities;
• our suppliers, service providers and their staff;
• lawyers and correspondent law firms with whom we cooperate;
• candidates applying for a position with the Firm;
• subscribers to our communications and visitors to our offices.

We obtain personal data from several sources:

• directly from you, when you contact us, instruct us, attend an event, apply for a position, or otherwise share your contact details with us;
• from third parties, including clients, counterparties, other lawyers, advisers, notaries, or any person related to a matter we handle;
• from public sources, including the Luxembourg Trade and Companies Register, the Register of Beneficial Owners, sanctions lists, databases and other publicly available sources.

We cannot always control the extent of personal data communicated to us by third parties. We invite you to share only data that is strictly relevant to the matter, and to redact or pseudonymise irrelevant personal data where possible.

Depending on the context, we may process the following categories of personal data:

• identification data (name, date and place of birth, nationality, ID/passport copy, signature, photograph);
• contact details (postal and email addresses, telephone numbers, position, employer, organisation);
• financial and banking data (bank details, statements, information on assets, income, debts and guarantees, where necessary for the engagement);
• professional data (CV, qualifications, mandates, publications);
• judicial and compliance data (criminal record extracts, PEP status, sanctions list information, KYC/AML information);
• contractual data relating to the formation, performance and termination of our engagements;
• image and sound data from events we organise or attend, where applicable.

We process personal data to negotiate and perform our engagement letter and provide legal services (including matter opening, billing and communication with authorities and other professionals involved); to comply with our legal and regulatory obligations, including KYC/AML duties, Bar professional rules (notably as regards conflicts of interest), accounting, tax and social security obligations, and reporting duties (including DAC6); to administer the Firm, secure our information systems and assets, prevent fraud, manage disputes and defend our rights, develop our client base, organise events and send professional communications to our clients and contacts (subject to your right to object); and, where applicable, on the basis of your consent, in particular for direct marketing to prospects, which you may withdraw at any time without prejudice to the lawfulness of processing carried out beforehand. We do not sell, lease or rent your personal data.

Where necessary for the purposes set out above, your personal data may be disclosed to:

• our partners, lawyers, trainees and support staff, bound by professional secrecy or equivalent confidentiality obligations;
• our processors and service providers (IT and hosting providers, document management platforms, accounting and payroll providers, recruitment firms, event organisers), bound by GDPR-compliant contracts;
• Luxembourg and foreign lawyers and correspondent law firms involved in our engagements;
• notaries, bailiffs, experts, sworn translators, auditors, financial advisers, banks and other professionals involved in a matter;
• public authorities (courts, tax, regulatory and supervisory authorities, Bar associations), where required by law or necessary for our engagement. Information disclosed to Luxembourg authorities may be further disclosed to foreign authorities under international information-exchange frameworks;
• our clients, where data was provided to us by a third party in the context of an engagement;
• any other recipient with your consent.

We retain personal data only for as long as necessary for the purposes for which it was collected, subject to applicable statutory retention obligations. As a general rule, personal data relating to client files and matters is retained for the duration of the engagement and for a period thereafter consistent with applicable limitation periods. Data relating to mailings, newsletters and other professional communications is retained until you inform us that you no longer wish to receive them, or until your contact details cease to be in use. Data relating to candidates who are not hired is retained for one year following the end of the recruitment process, unless you have authorised a longer retention period. At the end of the applicable periods, personal data is securely deleted or irreversibly anonymised.

The performance of our engagements may require personal data to be transferred to countries located outside the European Economic Area (the "EEA"), in particular where a matter involves a client, counterparty or correspondent law firm established outside the EEA, or where our service providers operate from a third country.

Where the destination country is not subject to an adequacy decision of the European Commission, we implement the appropriate safeguards provided for in Chapter V of the GDPR, in particular the Standard Contractual Clauses adopted by the European Commission.

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These include encryption of data in transit and at rest where technically feasible, multi-factor authentication, strict access controls on a need-to-know basis, access logging, contractual security and confidentiality obligations imposed on our processors, and physical security of our offices.

Subject to the conditions of the Applicable Law, you have the right to access your personal data, to obtain the rectification of inaccurate or incomplete data, to obtain the erasure of your data (subject to our legal retention obligations), to obtain the restriction of processing, to receive your personal data in a structured, commonly used and machine-readable format and to have it transmitted to another controller (right to data portability), to object to processing at any time, and, where processing is based on your consent, to withdraw such consent at any time without prejudice to the lawfulness of processing carried out beforehand.

You may exercise these rights free of charge by writing to info@swalespark.com or to our registered office (attention: Data Protection Officer). We may ask you to evidence your identity to prevent abuse.

You also have the right to lodge a complaint with the competent supervisory authority. In Luxembourg, this is the:

Commission Nationale pour la Protection des Données (CNPD) – 15, boulevard du Jazz, L-4370 Belvaux, Luxembourg – Phone: +352 26 10 60 1 – https://cnpd.public.lu

We reserve the right to amend this Policy to reflect legal, regulatory or operational developments. The most recent version is available on www.swalespark.com. The effective date set out below indicates the latest update.

For any question, request or complaint regarding this Policy or our processing of your personal data, you may contact us at:

Email: info@swalespark.com

Mail: Swale & Spark – Data Protection Officer, 4, rue Pierre de Coubertin, L-1358 Luxembourg.

Phone: +352 27 68 68 80