When providing our services through our website or otherwise, we collect and use certain personal data of users/clients. Such collect and use is necessary either to ensure the quality of our services or to allow users/clients to access specific services provided by us or to comply with our legal and regulatory obligations.
The spectrum of the concept of “personal data” is as large as including any mean of identification of an individual, from eye colour to navigation history. “Personal data” means, from a legal viewpoint, any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Identification data: first and last names, email address, business and/or private addresses, professional activity, official ID documents, gender, IP address, user name, signature, pictures, biometric data, image (CCTV);
- Analytic data: browsing behaviour (e.g. which pages have been consulted, how often and how long, etc…), communication preferences, feedbacks and survey;
- Financial data: personal financial data are mainly collected for KYC/AML and billing purposes and include banking information, information on patrimony, source of funds, shareholdings;
- Business data: telephone number, corporate documents, professional networks, business affiliations, etc…;
- Credentials: our human resources management process requires Brouxel & Rabia to process personal data including professional and academic curriculum, names of former employers, personal activities, languages;
- Health: human resources management and protection involve the collection of this type of data; and
- Judicial records.
Certain personal data may be communicated to us via our business network. In such a case we will assume that users/clients have consented to such a communication.
For technical maintenance and security purposes (building access and safety management, IT security, remote equipment management, website performance monitoring, management of sub-contractors agreements, etc…);
- To pursue our business activities through contractual engagements with clients, business partners, third parties;
- To pursue our business activities through marketing activities (events, surveys, communications, registration to external business activities, promotion of business activities, etc…);
- To comply with our legal and regulatory obligations (in particular from an AML/KYC standpoint);
- For invoicing purposes;
- For human resources management purposes (including social events);
- For knowledge management purposes (employees’ identification requested for the use of external databases, library management including individual subscriptions or orders for instance); and
- Any other purpose upon users/clients’ request or as indicated to users/clients upon collection of personal data.
In every instance, Brouxel & Rabia is collecting and using personal data (i) with the express prior consent of the concerned user/client, and/or (ii) to fulfil the terms and conditions of a lawful agreement involving the user/client and/or (iii) to comply with legal and regulatory obligations and/or (iv) for the legitimate purpose of enabling us to pursue our legal advisory activity.
Certain personal data collected by Brouxel & Rabia need to be transferred to some sub-contractors due to the externalisation of certain services:
- Sub-contractors in charge of the IT maintenance and security;
- Sub-contractors in charge of the building security and access management;
- Sub-contractor in charge of archiving and documents destruction;
- Sub-contractor providing KYC/AML software;
- Sub-contractors providing ancillary services (cleaning, knowledge for instance);
- Processors and sub-processors (cloud services providers, data centres);
Brouxel & Rabia has concluded agreements with all concerned third parties guaranteeing the conformity of their data protection rules and policy to ours and to the legal standards and requirements.
Certain personal data may also be transferred to business partners, notaries, auditors, banks and more largely to entities, administrations, supervisory bodies or intervening parties in the course of our business to adequately perform our legal services.
Given the current state of European law and case-law on this matter, Brouxel & Rabia is mitigating as much as possible the possibility of transfers of personal data outside the European Union and should such transfers however take place, Brouxel & Rabia will first assess the risks and second ensure that the concerned countries apply an appropriate level of protection and security under the standards admissible in Luxembourg and at a European level. Any such transfer will be contractually documented in a form agreed by the European Commission.
Brouxel & Rabia policy is to store and keep personal data that it collects for as long as necessary according to the collection purpose at hand, for the duration of our contractual relationship with the concerned person and in any case no longer than five years. Brouxel & Rabia has a strict archiving and data deletion/documents destruction policy in place.
Should you wish to access your personal data that Brouxel & Rabia has collected, rectify, update or erase them, revoke your consent to our treatment of your personal data, object to the transfer of your personal data or otherwise have any query relating to the treatment by us of your personal data, please address it to the following address: email@example.com. You should also be aware of the fact that you may at any time revoke your consent to the treatment of your personal data – by informing us accordingly at the address mentioned above. You may also request the portability of your personal data, i.e. that Brouxel & Rabia directly transmit your personal data to another data controller.
Any complaint against us relating to the treatment of personal data shall be addressed to the Commission Nationale de Protection des Données (Faire valoir vos droits – Particuliers – Commission nationale pour la protection des données – Luxembourg (public.lu)).
While we commit to promptly inform our users/clients of any data protection breach, we expect from them to inform us of any change in their personal data in a timely manner.
Brouxel & Rabia
8-10 avenue Marie-Thérèse
Grand Duchy of Luxembourg