In accordance with the provisions of the EU Regulation n°2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”) and any applicable national data protection laws (including but not limited to the Luxembourg law of 1st August 2018 organizing the National Commission for data protection and the general system on data protection, as amended from time to time) (collectively hereinafter the “Data Protection Laws”), Fiveoffices acting as data controller (the “Data Controller”) collects, stores and processes by electronic or other means the data supplied by User (as defined in the General Terms and Conditions) or if the User is a legal person, any natural person related to it such as its contact person(s), employee(s), trustee(s), nominee(s), agent(s), representative(s) and/or beneficial owner(s)) (the “Data Subjects”) at the time of acceptance of the General Terms and Conditions for the purposes outlined below.
The data processed includes as applicable the Data Subject’s name, e-mail, address, phone number, proof of address, bank account data, IBAN and BIC codes, and client communications, as applicable (the “Personal Data”).
The Data Subjects may, at their discretion, refuse to communicate the Personal Data to the Data Controller. In this event however the Data Controller may reject their request for accessing the Service (as defined in the General Terms and Conditions) if the relevant Personal Data is necessary for the Service to be rendered.
Users who are legal persons undertake and guarantee to process Personal Data and to supply such Personal Data to the Data Controller in compliance with the Data Protection Laws, including, where appropriate, informing the relevant Data Subjects of the contents of the present section, in accordance with Articles 12, 13 and/or 14 of the GDPR.
Personal Data supplied by Data Subjects are processed in order to render the Services (i.e. to perform any pre-contractual measures as well as the contract entered into by the Data Subjects), for the legitimate interests of the Data Controller and to comply with the legal obligations imposed on the Data Controller.
In addition, the Personal Data supplied by Data Subjects are processed for the purpose of (i) User account administration; (ii) client relationship management and (iii) commercial prospection. In addition, the Data Subjects acknowledge their rights to oppose to the use of Personal Data for commercial prospection by writing to the Data Controller.
The “legitimate interests” of the Data Controller referred to above are:
a) the processing purposes described in points (i) and (ii) of the above paragraph of this clause;
b) the provision of the proof, in the event of a dispute, of a transaction or any commercial communication as well as in connection with any proposed purchase, merger or acquisition of any part of the Data Controller’s business;
c) compliance with national and foreign laws and regulations and/or any order of a national foreign court, government, supervisory, regulatory or tax authority;
d) risk management;
e) processing Personal Data of employees of Users which are legal persons; and
f) exercising the business of the Data Controller in accordance with reasonable market standards.
The Personal Data may also be processed by the Data Controller’s data recipients (the “Recipients”) which, in the context of the above mentioned purposes, refer to any suppliers of Fiveoffices, or any third party that acquires, or is interested in acquiring or securitizing, all or part of the Data Controller’s assets or shares, or that succeeds to it in carrying on all or a part of its businesses, or services provided to it, whether by merger, acquisition, reorganization or otherwise as well as any other third party supporting the activities of the Data Controller. The Recipients may, under their own responsibility, disclose the Personal Data to their agents and/or delegates (the “Sub-Recipients”), which shall process the Personal Data for the sole purposes of assisting the Recipients in providing their services to the Data Controller and/or assisting the Recipients in fulfilling their own legal obligations.
The Recipients and Sub-Recipients may be located either inside or outside the European Economic Area (the “EEA”) in countries such as the United States or the United Kingdom. Where the Recipients and Sub-Recipients are located in a country outside the EEA which benefit from an adequacy decision of the European Commission, the Personal Data are transferred to the Recipients and Sub-Recipients upon such adequacy decision. Where the Recipients and Sub-Recipients are located outside the EEA in a country which does not ensure an adequate level of protection for Personal Data or does not benefit from an adequacy decision of the European Commission, the Data Controller has entered into legally binding transfer agreements with the relevant Recipients in the form of the European Commission approved model clauses or any other appropriate safeguards pursuant to the GDPR. In this respect, the Data Subjects have a right to request copies of the relevant document for enabling the Personal Data transfer(s) towards such countries by writing to the Data Controller.
The Recipients and Sub-Recipients may, as the case may be, process the Personal Data as data processors (when processing the Personal Data on behalf and upon instructions of the Data Controller and/or the Recipients), or as distinct data controllers (when processing the Personal Data for their own purposes, namely fulfilling their own legal obligations).
The Personal Data may also be transferred to third-parties such as governmental, judicial, prosecution or regulatory agencies and/or authorities, including tax authorities, in accordance with applicable laws and regulations.
In accordance with the conditions laid down by the Data Protection Laws, the Data Subjects acknowledge their right to:
- access their Personal Data;
- correct their Personal Data where it is inaccurate or incomplete;
- object to the processing of their Personal Data;
- restrict the use of their Personal Data;
- ask for erasure of their Personal Data;
- ask for Personal Data portability.
The Data Subjects may exercise their above rights by writing to the Data Controller at the following address:
76, Grand Rue
The Data Subjects also acknowledge the existence of their right to lodge a complaint with the Commission Nationale pour la Protection des Données (the “CNPD”), or with any competent data protection supervisory authority of their EU Member State of residence.
Personal Data shall not be retained for periods longer than those required for the purpose of their processing subject to any limitation periods imposed by law.