Privacy Policy
Bersay (hereinafter the “Firm”) respects the privacy of all its contacts – established in the context of cases, assignments, partnerships, etc. – and processes their personal data with all due diligence and in accordance with the applicable regulations, i.e. Regulation n°2016/679 (EU) of 27 April 2016 known as the General Data Protection Regulation (“GDPR”) and the French Data Protection Act of 6 January 1978 in its updated version (the “Applicable Regulations”). The Firm acts as data controller for the data it processes.
As such, the purpose of this Privacy Policy (hereinafter the “Policy”) is to provide information on the manner in which the Firm, in its capacity as data controller, processes personal data (hereinafter the “Personal Data”) concerning the Firm’s clients, suppliers, prospects and visitors to our website (the “Website”) (hereinafter “You” or “Your”), on the one hand, and on the means available to them to exercise their rights in relation thereto, on the other hand.
1 – Identity of the data controller
The Cabinet is responsible for the processing of Personal Data implemented under this Policy.
Its postal address is: 31 avenue Hoche, 75008 – Paris.
It’s contact email address is: contact@bersay.com
Its telephone number is: (+33)1 56 88 30 00.
2 – Definitions
Terms beginning with a capital letter, such as, but not limited to, “Personal Data”, “Processing”, “Data Subjects”, “Controller”, “Processor”, “Recipient”, “Data Breach”, have the meaning given to them by the Applicable Regulations, in particular the GDPR.
3 – What Processing is carried out on Your Personal Data?
The Processing carried out by the Firm are set out in the table below, which includes the following information for each Processing:
- The purpose(s) of the Processing, i.e. specified, explicit and legitimate aims of the Processing which govern it for the entire duration of the Processing;
- The legal basis for the Processing, i.e. the legal basis for the Processing which justifies its implementation and makes it legitimate;
- The list of Personal Data processed, it being specified that the Firm only collects information that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. The type of Personal Data collected depends on the context of Your direct and/or indirect interactions with the Law Firm;
- The method of collection of Personal Data, which may be direct (Data sent by the Data Subject him/herself) or indirect (Personal Data collected or generated by any other means/technology)
- The length of time the Data is kept, which is always determined and proportionate to the purposes of the Processing and takes into account the legal possibilities for archiving and any obligations to anonymise and/or keep certain Personal Data.
The Firm takes into account the principles of data minimisation and protection by design and by default. Consequently, Personal Data is collected that is relevant, adequate and limited to what is necessary for the purposes for which it is processed.
As a matter of principle, the Firm does not process sensitive Personal Data within the meaning of the Applicable Regulation, with the exception of (i) Personal Data necessary for the establishment, exercise or defence of legal claims, where this is required in the context of the task entrusted to the Firm and in accordance with Article 9 of the GDPR or (ii) trade union membership where this Personal Data is required in the context of a case handled by the Firm.
If You submit Personal Data about another person, You represent and warrant that You are authorised by that person to allow the Firm to process it in accordance with this Policy.
| Processing | Data subject(s) | Purposes | Legal basis | Data processed | Collection method | Data retention period |
| Customer relationship management | Customers | – Handling cases entrusted to the Firm
– Managing exchanges with customers
– Organising, registering for and managing invitations to the Firm’s events – Measuring customer satisfaction
– Verification of Customer identity – Verification that there is no conflict of interest – Anti-money laundering and combating thefinancing of terrorism |
Contractual performance (Customer contracts)
Legitimate interest of the Firm
Compliance with the Firm’s legal and ethical obligations |
– Surname, first name, title
– Contact details (email and postal address, city, region, country, telephone number) – Professional details (profession, job title, name of employer) – Trade union membership (if required for a case handled by the Firm) – Data relating to family life and assets where relevant to the case in question – Image (photograph or video), e.g. for events organised by the Firm |
– Exchanges by e-mail, contact form, order form, telephone or business cards
– Signing contracts with the Firm – Registration for events organised by the Firm – Social networking – Surveys, promotions and other measures of satisfaction |
Duration of contractual relationship on an active basis and 5 years on an intermediate basis for probationary purposes. |
| Commercial prospecting | Prospects
Customers |
– Managing exchanges with prospects
– Sending commercial prospecting messages – Organising, registering for and inviting to the Firm’s events – Sending newsletters and information/update emails – Responding to public or private calls for tender |
Pre-contractual measures taken at the Prospect’s request
Legitimate interest of the Firm |
– Surname, first name, title
– Contact details (email and postal address, city, region, country, telephone number) – Professional details (profession, job title, name of employer) |
– Exchanges by e-mail, contact form, order form, telephone or business cards
– Enquiries – Registration for events organised by the Firm – Social networking |
Prospects: 3 years from the date of collection by the Firm or the last contact from the Prospect (e.g. a request for documentation or a click on a hypertext link contained in an email).
Customers: 3 years from the last contact with the Customer. |
| Management of opt-out lists for prospecting | Prospects
Customers |
– Receiving and responding to opt-out requests from Customers and Prospects
– Restriction and/or deletion of data – Management and updating of opposition lists |
Legitimate interest of the Firm | – Surname, first name, title
– Contact details (email and postal address, city, region, country, telephone number) – Professional details (profession, job title, name of employer) – Date of opposition request |
Formulation of the opt-out request by clicking on the unsubscribe link located in the footer of commercial prospecting emails or by any other means (email for example) | 3 years from the exercise of the right to object |
| Management of Supplier Relationship | Suppliers | – Supplier search and selection operations
– Negotiating, executing and monitoring contracts – Managing exchanges with suppliers |
Contractual performance (supplier contracts) | – Surname, first name, title
– Contact details (email and postal address, city, region, country, telephone number) – Professional details (profession, job title, name of employer) |
Exchanges by e-mail, contact form, order form, telephone or business cards | Duration of contractual relations on an active basis and 5 years on an intermediate basis for probationary purposes. |
| Management of the Website and IT infrastructure | Customers
Prospects Website users |
– Website administration
– Production of statistics to measure the Website audience and the newsletter opening rate – Improving our online services – Measures to ensure the security of the IT infrastructure |
Legitimate interest of the Firm | – Country, preferred language
– Identification data (IP address) – Connection data (logs, tokens, etc.) – Acceptance data (click) |
– Functional cookies
– Connection logs – Systems for tracking, logging and analysing audiences – Contact and newsletter subscription forms |
1 year from collection. |
| Management of potential litigation | Customers
Prospects Suppliers |
– Amicable negotiations
– Management of the litigation process – Taking evidence in litigation |
Legitimate interest of the Firm | – Surname, first name, title
– Contact details (email and postal address, city, region, country, telephone number) – All other data processed elsewhere insofar as it relates to the subject of the dispute or is necessary for the management of the dispute. |
– Exchanges by e-mail, contact form, order form, telephone or business cards
– Data obtained from case management – Data obtained by any means in the course of litigation or pre-litigation proceedings |
For the duration of the dispute and until (i) signature of the settlement agreement (pre-litigation) or (ii) exhaustion of legal remedies (litigation). |
| Billing management | Customers
Suppliers |
– Billing administration
– Printing invoices – Receipt of invoices – Payment management – Accounting entries |
Legal obligation | – Surname, first name, title
– Professional details (profession, job title, name of employer) – Payment details, billing address and bank account details – IBAN, BIC |
– Signing contracts with the Firm
– Communication of the necessary information by any means during any exchange with the Firm |
10 years from the end of the financial year. |
| Video surveillance of the area around the entrance to the surgery | Prospective Customers | – Managing the safety of goods and people
– Making it easier to identify visitors at the reception desk |
Legitimate interest of the Firm | – Visitor image | – Recordings made by the video surveillance system installed at the entrance to the surgery | 7 days from the date the images are recorded |
4 – Who are the Recipients of Personal Data?
The Firm may send your Personal Data to authorised Recipients who are subject to an appropriate obligation of confidentiality, who may be internal or external depending on the case, and those who must process it solely for the purposes set out herein and within the framework of the appropriate protection and security measures detailed below.
Internal Recipients are all members of the Firm whose duties, functions and tasks justify them processing your Personal Data. Depending on the case, this may include lawyers, employees and trainees.
External recipients are :
- Processors acting on behalf of the Law Firm in the context of specific processing and in accordance with the Law Firm’s instructions;
- Legal authorities, court officers, colleagues, experts, agents, investigators, etc. ;
- Ordinary bodies responsible for supervising the legal profession ;
- Supervisory authorities responsible for control or inspection in accordance with the Applicable Regulations, such as the CNIL;
- In the event of a proposed sale of the Firm’s business, the potential purchaser(s) and their advisors will conduct an audit prior to the transaction, it being specified that in the event of an acquisition, your Personal Data may form part of the assets transferred. If your Personal Data is transferred, the acquirer will act as the new Data Controller under its own data processing policy.
5 – How is the security of Personal Data ensured?
The Firm takes care to protect and secure Personal Data from the time it is collected until it is permanently deleted and implements appropriate technical and organisational measures to preserve its confidentiality, ensure its security and prevent its accidental or unlawful destruction, loss, alteration or unauthorised disclosure.
These measures include
- Security measures for access to premises (access codes, individual keys),
- Managing authorisations and restrictions on data access rights,
- The use of secure identification procedures,
- Raising awareness among partners, associates, employees and trainees,
- Securing the Wifi connection used in the Cabinet and remotely,
- Implementing safeguard measures,
- Implementing encryption measures (private keys),
- Implementing traceability measures.
The Firm’s service providers and Processors are bound by security and confidentiality undertakings guaranteeing the same level of protection for Personal Data as that afforded by the Firm and prohibiting them from using Personal Data for any purposes other than those for which the Firm shares it with them; more specifically, they are not authorised to use the Personal Data communicated to them for commercial purposes or to disclose it to other third parties.
In all cases, where Processors are used, the Firm (i) contractually imposes on them security guarantees similar to those implemented internally to protect your Personal Data and (ii) reserves the right to audit them in order to ensure compliance with their obligations.
Personal Data is hosted in France. Any transfer of Personal Data outside the European Union is carried out in compliance with the requirements set out in the Applicable Regulations.
In accordance with the Applicable Regulations, in the event of a Data Breach likely to give rise to a risk to the rights and freedoms of Data Subjects, the Firm undertakes to notify the CNIL within the time limits and under the conditions prescribed by the GDPR and, where required by the said regulations, to communicate this Data Breach to the Data Subjects (individually or generally, as the case may be).
6 – What are your rights regarding your Personal Data and how can you exercise them?
6.1. Statement of rights and how to exercise them
Right of access
The right of access allows you to obtain from the Firm (i) confirmation as to whether or not Personal Data concerning You is being processed, the conditions of implementation and the characteristics of such Processing and, if so, (ii) a copy of your Personal Data in electronic form. In this case, the sending of an initial copy of the Personal Data is free of charge, but for any additional copy, the Firm is entitled to demand payment of a reasonable fee based on the administrative costs incurred.
Right of rectification
You have the right to obtain from the Firm, as soon as possible, the rectification of Your Personal Data which is incomplete or obsolete.
Right to erasure
Subject to the exceptions provided for by Applicable Regulations (e.g.: retention necessary to comply with a legal obligation), You have the right to ask the Firm to delete Your Personal Data as soon as possible, where one of the following reasons applies:
- Personal Data is no longer necessary for the purposes for which it was collected or otherwise processed;
- You wish to withdraw Your consent on which the Processing of Your Personal Data was based and there is no other basis justifying this Processing;
- You consider and can establish that Your Personal Data has been processed unlawfully.
Right to restriction of Processing
You have the right to obtain the limitation of the Processing, i.e. the freezing of the use of Your Personal Data by the Firm, when You have requested for rectification, deletion or opposition for the time that the Firm analyses your request. During this period, the Personal Data is retained by the Firm but can no longer be processed.
Right to object
You have the right to object to the Processing of Your Personal Data on grounds relating to Your particular situation, in which case the Firm will no longer Process Your Personal Data for the purposes objected to, unless the Processing is justified on legitimate and compelling grounds.
You also have the right to object to the Processing of your Personal Data for marketing purposes, which You may exercise without giving any reason.
Right to data portability
Where the Firm processes, on the basis of consent, the Personal Data that You have communicated to it in connection with online services offered by the Firm, You may request the portability of the Personal Data, i.e. its return in a commonly used format.
Right to withdraw consent
Where the Firm processes your Personal Data on the basis of your consent, such consent may be withdrawn at any time by using the means made available to You for this purpose (procedure indicated in point 8.2 of this Policy). On the other hand, and in accordance with the Applicable Regulations, the withdrawal of consent is valid only for the future and cannot therefore call into question the lawfulness of the processing carried out prior to this withdrawal.
Right to lodge a complaint with a supervisory authority
If, despite the Firm’s efforts to preserve the confidentiality of Personal Data, You consider that this confidentiality is not ensured, a complaint may be lodged with the competent supervisory authority. The list of supervisory authorities is available on the European Commission website. In France, this is the CNIL, which can be contacted via the online complaints service on the CNIL website, or by post by writing to : CNIL – 3 place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Post-mortem right
Lastly, You have the right to organise what happens to Your Personal Data after Your death by formulating general or specific directives concerning its retention, deletion and/or communication. The Firm undertakes to respect these instructions. In the absence of instructions, the Firm acknowledges that heirs may exercise certain rights, in particular the right of access, if this is necessary for the settlement of the deceased’s estate, and the right to object to the further processing of the deceased’s Personal Data.
6.2 – Terms and conditions for exercising rights
For any questions relating to this Policy and/or to exercise Your rights as described above, You may contact the Firm:
- By email to: contact@bersay.com, or
- by post to: Bersay, personal data department, 31 avenue Hoche 75008 Paris
If the request is submitted electronically, the information will also be provided electronically where possible, unless You expressly request otherwise.
The request to exercise your rights must be made by you alone (unless you have duly authorised a third party to do so) and must be as clear and exhaustive as possible to enable the Firm to respond as quickly as possible, within one to three months depending on the level of complexity of the request.
the Firm may ask you to complete your request if it is not sufficiently precise, if the right you wish to exercise is not easily identifiable or if the Firm is unable to establish your identity, in which case the Firm may ask you to provide additional information, in particular proof of identity, which will be deleted once your identity has been verified.
Furthermore, the Firm will not be obliged to respond to your request if it is manifestly unfounded or excessive, and in particular if you make repetitive requests which have the purpose or effect of destabilising the Firm’s activities. In such a case, the Firm will inform you of the reasons for its inaction.
7 – Use of cookies
The Website only uses cookies for reasons that are strictly necessary for its operation. The Website deposits a mandatory “server” cookie to enable it to function, as well as a cookie to retain the Website’s language preference during the session only.
These cookies do not collect any Personal Data about You, nor are they used to track and/or trace Your interactions with the Website. Consequently, these cookies do not require Your consent.
8 – Applicable law and jurisdiction
This Policy is governed by French law. In the event of a dispute, the competent courts will be those within the jurisdiction of the Paris Court of Appeal, notwithstanding multiple defendants or the introduction of third parties.
9 – Changes to the Privacy Policy
The Firm may amend the Policy at any time to take account of changes in legislation, regulations and/or case law, a change in the characteristics of the Processing or the implementation of a new Processing. These modifications take effect at the time of their publication on the Website. You will be subject to the most recent version of the Policy. The latest version of the Policy applicable is always the one accessible from our Website, which includes the date of the last update.