We process personal data about you as a client in connection with the business operations of our firm, when you visit our website, subscribe to our newsletter or attend our events.
The conditions of our processing of your personal data and your personal rights in this connection are further described below in accordance with the rules of the General Data Protection Regulation (the ‘GDPR’).
If you have any questions about our processing of your personal data or you wish to exercise your rights, you are always welcome to contact us:
Valge 13, 11415 Tallinn
Telephone: +372 602 8411
As part of the administration of our client, we are processing personal data about you. In all relationships with clients, we are processing information with a view to establishing a relationship with the client, client management and performance of the business operations of our firm. Below is specified the personal data processed in this connection.
In order to administer, manage and cultivate the relationship with our clients, we process personal data about you as a client or a potential client. As part of our client management, the following types of information are processed.
Ordinary personal data. These include identification information and contact information about clients, owners of the client and/or contact persons, as well as representatives of the client. Furthermore, we process information about our relationship with the client, including correspondence, and information about accounts receivable and outstanding amounts. In certain cases, we collect credit information about clients.
The legal basis for the processing is Article 6(1)(b) of the GDPR, according to which personal data can be processed if necessary for the performance of a contract, in this case the task or the potential task. Furthermore, personal data can be processed if necessary for the purposes of FLC’s legitimate interests, including the establishment and cultivation of a relationship with a client, see Article 6(1)(f) of the GDPR; just as there might be situations where we store your personal data even if we do not enter into a consultancy agreement.
There are a number of requirements in the anti-money laundering legislation that we must meet. In order to meet these requirements for the prevention of money laundering and financing of terrorism, we process personal data about you.
Ordinary personal data. Including processing of information, such as name, personal code (alternatively passport number or another national identification number), the information is compared with a reliable and independent source, digital signature, or copy of picture ID (e.g. passport, driver’s licence or the like), owner and control structure, beneficial owners, alternatively the day-to-day management.
The legal basis for the processing is Article 6(1)(c) of the GDPR, according to which personal data can be processed when necessary for compliance with a legal obligation. In exceptional cases, sensitive personal data can be processed, and such processing will be based on Article 9(2)(g) of the GDPR; just like information about criminal offences can be processed pursuant to the Personal Data Protection Act.
When providing legal advice in the field of commercial law, including company law, licensing, M&A, tax law and lawsuits, including criminal cases, we process personal data about you as, for example, business owner, beneficial owner, board member, employee, customer and supplier. These data are processed in order to advise our clients on matters pertaining to commercial law.
|Ordinary information||Sensitive information|
|Information||Identification information, including personal code, contact information, copy of ID, information about criminal offences, family matters, bank and payment information, financial matters, contractual relationships, tax matters, staff matters, other relevant information available.||Any relevant data concerning health, data revealing trade union membership, etc.|
|Basis of processing||Basis of processing when processing is necessary for the performance of a contract (the task), compliance with a legal obligation, FLC and the client’s legitimate interests in relation to conducting legal proceedings, advising and practising law, see Article 6(1)(b)(c) and (f) of the GDPR.||The legal basis for processing is Article 9(2)(f) of the GDPR.|
We process personal data in connection with marketing activities, including the provision of courses, events, etc., as well as sending out newsletters. Processing is necessary in order to provide services to interested parties.
In this context, ordinary personal data are processed, including name, contact information and possible interests or preference for topics, as well as language.
The legal basis for processing of personal data in connection with courses, events, sending out newsletters, etc. is our legitimate interests in marketing its business (see Article 6(1)(f) of the GDPR.)
We send out newsletters and other marketing material only if we have obtained your explicit consent. You can always withdraw your consent by contacting us via the above contact information or follow the instructions at the bottom of our newsletters.
In connection with our business operations, we process personal data concerning our suppliers and business partners.
In this connection, ordinary personal data are processed, including name, place of work and contact information, as well as information about the relationship and correspondence.
The legal basis is our legitimate interests in managing and practising law, see Article 6(1)(f) of the GDPR. In some cases, the legal basis is Article 6(1)(b) of the GDPR, according to which processing is necessary for the performance of a contract to which the data subject is a party.
The legal basis is our legitimate interests in generating statistics and, by this process, analysing the use of our website, e.g. to optimize it (see Article 6(1)(f) of the GDPR.)
We are active on social media. When you interact with us on these media, you are making information available to us and the social media, e.g. when you respond to our postings, comment on or share them, just like we process information that you ‘like’ FLC or follow us on the social media.
In addition, ordinary information is processed about you in the form of, for example, identification information, contact information, your profile photo, etc.
Furthermore, we will in some cases share, for example, a piece of news in which your identification information (name) is included. In these cases, we always request your prior consent. You can always withdraw your consent by contacting us via the above contact information. The purpose of the processing is branding and marketing of FLC.
The legal basis for the processing is our legitimate interests in marketing us as a firm on social media and knowledge sharing in the form of sharing of articles, etc. (see Article 6(1)(f) of the GDPR.)
Information on social media is deleted when we delete a posting or when you delete your comment, share, reaction or indication that you ‘like’ or follow us.
We obtain basic personal information from you in our visitor’s database and or the archive of visitor registration cards, which includes but is not limited to name, phone number, reason of visit, date & time. Video footage is also being recorded on our CCTV system installed on company premises.
We collect and process information to ensure the physical security of the people and items, security of confidential information located in our premises or accessible from our premises. This is done to prevent loss, frauds, thefts, injuries, terrorism and other events of such kind in our premises.
Our visitors’ personal data is maintained in a secure manner. Only authorized employees have access to it. We will only keep such personal data for as long as is reasonably necessary for the purposes outlined above or to comply with legal requirements under applicable law(s).
In connection with client management, case management and professional advice, FLC primarily obtains information from the client but may also obtain information from publicly available sources, public authorities and opponents.
Information for the prevention of money laundering and financing of terrorism is generally obtained from the client but may also be obtained from your employer (our client) and public registers.
We obtain information in connection with marketing from you as a data subject, and in connection with various events and courses, the information may be collected from the company where you are employed.
In connection with our business operations, information is likewise obtained from the data subject (supplier, business partner, etc.), or from the company where the person is employed.
In connection with our visitors, information is obtained from the visitors themselves.
Your personal data are disclosed only in connection with case management and professional advice, and only when FLC is legally obliged to do so, or when you have given your consent. You can always withdraw your consent by contacting us via the above contact information.
Data may be disclosed to the following parties:
In addition, we disclose your personal data to data processors, who are assisting us in our business operations.
In principle, we do not transfer your information to countries outside the EU/EEA. However, transfer may take place if you or a party to the case is located in a so-called third country. In this case, the legal basis is Article 49(1)(e) of the GDPR, according to which transfer may take place if necessary for the establishment, exercise or defence of legal claims, just like transfer may take place if you have given your consent. You can always withdraw your consent by contacting us via the above contact information.
In certain cases, we also use data processors located outside the EU/EEA. At your request, we can inform you where you can obtain a copy of the basis of transfer in question.
We are joint data controllers with some of our business partners and cooperating lawyers. Pursuant to Article 26 of the GDPR, joint data control exists when two or more data controllers jointly determine the purposes and means of processing of personal data. Agreements on joint data responsibility have been entered into with the business partners and cooperating lawyers in question.
We are, according to the agreements entered into, responsible for making systems available and the security of such systems, just like we are responsible for the administration of compliance with the anti/money laundering and terrorist financing legislation, including the whistle-blower system, and the overall compliance with the data protection legislation. Our business partners and cooperating lawyers are responsible for compliance with the obligation to provide information to their clients, etc. and to have a legal basis for the processing of personal data.
In respect to the rights of the data subjects, we are responsible for the right of access, right to erasure, obligation to provide information in connection with rectification, erasure or restriction, as well as right to data portability. Thus, the business partners and cooperating lawyers are responsible for providing information, rectification, restriction of processing and objection to processing. Whatever right you want to exercise, you can always contact us via the above contact information, and your request will be passed on to the business partners and cooperating lawyers, where relevant.
We process each candidate’s personal data in accordance with this paragraph, unless such processing, unless such processing conflicts with the requirements of applicable law, in which case applicable law will prevail.
We usually collect personal data directly from you when you apply for a role with us, such as your name, address, contact information, photographs and videos, work and educational history, achievements, identity documents, and test results. If you receive an offer from us, we may then conduct a background check and, to the extent permitted by applicable law. We may also collect data related to criminal offences and proceedings. We also collect similar personal data about you from third parties, such as professional recruiting firms, your references, prior employers, our employees with whom you have interviewed or who recommended your candidacy, and, to the extent permitted by applicable law, employment background check providers. We may also collect personal data about you online to the extent that you have chosen to make this information publicly available. For example, we may find your profile on professional social media websites (such as LinkedIn), and contact you about suitable roles.
Sensitive personal data is a subset of personal data that includes ethnicity, health, trade union membership, philosophical beliefs, sexual orientation, and other categories as prescribed by law. We may collect sensitive personal data about a candidate to the extent permitted to do so by applicable laws and to support our efforts to create an inclusive and diverse work environment. We may also collect sensitive personal data to the extent that you choose, without being asked, to voluntarily disclose it during the recruiting process.
We collect and use your personal data for legitimate human resources and business management reasons, including:
Our processing of your personal data for the purposes mentioned above is based:
If you accept an offer of employment with us, any relevant personal data collected during your pre-employment period will become part of your personnel records and will be retained in accordance with the privacy notice applicable to our employees, which will be provided during the on-boarding process.
If we do not employ you, we may nevertheless continue to retain and use your personal data for a period of time for system administration purposes, to consider you for potential future roles, and to perform research. Thereafter, we retain a minimal amount of your personal data to record your recruiting activity with us. It’s your right to withdraw your consent at any time, by contacting us at email@example.com.
All our employees are subject to strict confidentiality, including the processing of personal data.
We process your information for as long as it is necessary to fulfil the purpose of the processing.
In connection with client management, case management and professional advice, FLC generally stores your information for five years from the end of the year in which the case was closed, unless otherwise required according to legislation or in case of original documents.
If no case has been created and we have registered information about you only in connection with creating a possible relationship, we will store your information for up to six months after ending the correspondence.
Information for money laundering control and counter-terrorist financing purposes is stored for five years after the case is closed pursuant to the money laundering legislation.
Information about you as a supplier or cooperating partner is stored for up to five years after the end of the year during which the delivery took place or the cooperation was terminated.
FLC stores your information for up to six months after you have entered our premises.
As a data subject, you have certain rights according to the GDPR when your personal data are being processed. Below is a specification of your rights when we process personal data about you.
If you want to exercise one or more of your rights as a data subject, you must contact us in writing via the email address indicated above. Please state your full name and your e-mail address. You may be requested to provide further identification.
In general, you can exercise your rights at any time. However, exercising your rights must not affect the rights and freedoms of others and in such an event, we may therefore refuse to comply with your rights wholly or in part.
As a data subject, you have the right to obtain access to your personal data being processed by FLC. By contacting FLC, you can obtain information about the categories of personal data that we as a data controller are processing about you, the purpose of the processing, the recipients to whom the personal data have been disclosed, etc.
If you request further copies of the personal data undergoing processing, we may charge a fee. If the inquiry is manifestly unfounded or excessive, we may either charge a fee for providing the information or reject your request.
You have the right to obtain rectification of your personal data if these are inaccurate or misleading. If we do not agree that the data are inaccurate, however, we are not obliged to correct them, but to add that you as a data subject do not think that the data are correct.
In certain cases, you have the right to obtain erasure of your personal data if FLC no longer has a purpose in processing your personal data or you object to the processing of your personal data for the purposes of direct marketing or pursuant to Article 6(1)(f) of the GDPR. If FLC can demonstrate overriding legitimate grounds for the processing that override your interests, rights and freedoms, or the processing is necessary for a legal claim to be established, exercised or defended, however, FLC is not obliged to erase your personal data.
In certain cases, you have the right to obtain restriction of processing of your personal data, e.g. if you contest the accuracy of the personal data collected about you or if you have objected to the processing of your personal data based on legitimate interests pursuant to Article 6(1)(f) of the GDPR. In such an event, FLC will only store your personal data until your objection has been considered. If we lift the restriction of our processing of your personal data, you will be notified in advance.
On grounds relating to your particular situation, you have the right to object to FLC’s processing of your personal data, if the processing is based on legitimate interests, see Article 6(1)(f) of the GDPR. If you object to FLC’s processing of your personal data, we are no longer entitled to process your personal data, unless we can demonstrate overriding legitimate grounds for the continued processing that override your interests, rights or freedoms, or the processing is necessary for a legal claim to be established, exercised or defended.
You always have the right to object to the processing of your personal data if the processing takes place for the purposes of direct marketing.
In certain cases, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to have those data transmitted from one data controller to another data controller. This right applies only when the processing of your personal data is based on a contract pursuant to Article 6(1)(b) of the GDPR or your consent, see Article 6(1)(a) of the GDPR.
Your personal data are not subject to decisions based solely on automated processing, including profiling.
To the extent that we process your personal data based on your consent, you can always withdraw your consent to any future processing. You can withdraw your consent by sending an email to firstname.lastname@example.org.
As a data subject, you can lodge a complaint with FLC as a data controller if you are not satisfied with the way that we process your personal data. You can find our contact information above.
You can always lodge a complaint with the Estonian Data Protection Inspectorate (www.aki.ee; Tatari tn 39, 10134 Tallinn, Estonia; phone +372 627 4135; email email@example.com).
Last update: 07.04.2021.