The following describes how GSK Stockmann SA, 44, Avenue John F. Kennedy, L-1855 Luxembourg, Luxembourg, RCSL B 205 326 (hereinafter also referred to as “GSK Stockmann”, “we”, “us”) processes your (and possibly third parties’) personal data within the scope of our relationship with you as client or otherwise as regards processing your case. We take the confidentiality and protection of your personal data very seriously. For this reason, we process your personal data exclusively insofar as it is legally admissible, in particular on the basis of the General Data Protection Regulation of the EU (“GDPR”) and the Luxembourg law dated 1 August 2018 on the organisation of the National Data Protection Commission, implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “Data Law”).
The following gives you an overview of which personal data we process exactly, how we use them, who we are potentially passing them on to and what your data protection rights and remedies are.
1. Who is responsible for processing my data?
This data protection notice applies to data processing by us (GSK Stockmann) as the person responsible for data protection in the sense of the GDPR.
If you have any questions, suggestions or complaints regarding data protection at GSK Stockmann, you can reach us using the following contact details: luxembourg@gsk-lux.com.
2. Clients
2.1. Which personal data do we process?
We process certain data received from you or from third parties commissioned by you or your contact persons in connection with our client relationship or otherwise as regards processing your case. This includes in particular the following data:
2.2 What are the purposes and the legal bases for the data processing?
We are processing your data at your request and in accordance with Art. 6 para. 1 s. 1 lit. b) GDPR for the purposes stated: in order to appropriately fulfill our relationship with you as our client and to mutually fulfill obligations arising from the client contract (performance of contract or precontractual measures). If you have not mandated us, your data will be processed based on Art. 6 para. 1 s. 1 lit. f) GDPR (legitimate interest; whereby the legitimate interest is within the scope of necessity for the aforementioned purposes).
In some cases we are required by law to process certain data (Art. 6 para. 1 lit. c) GDPR). We are under such obligation e.g. due to the Money Laundering Act (“GWG”), which stipulates that we must identify our clients (Sec. 11 para. 1 s. 1 GWG). Furthermore, according to Sec. 50 of the German Federal Lawyer’s Act (“BRAO”), professional law prescribes that we keep legal refer-ence files (if necessary also electronically).
3. Business partners
In addition, we process personal data within the scope of cooperation with contracted service providers or suppliers as well as other business partners (“business partners”).
3.1 Which personal data do we process?
In the context of cooperation with our business partners or their points of contact, we process among others the following categories of personal data: name, address and other contact details, such as title, address, telephone or fax number and e-mail address; if applicable, details regarding your professional activity; bank account or payment information; if applicable, your tax identification number (“tax ID”).
3.2 What are the purposes and the legal bases for the data processing?
As above mentioned personal data are necessary to establish, execute and handle the contractual relationship with the respective business partner. We process these data based on Art. 6 para. 1 lit. b) GDPR; otherwise also according to Art. 6 para. 1 lit. f) GDPR.
4. Transmitting information occasionally
We also process your personal data in order to send you important or relevant client and/or legal information (e.g. GSK Updates on current legal topics) or other information and to point out GSK Stockmann events relevant to you.
4.1 Which personal data do we process?
In this context, we process among others the following categories of personal data: name, address and other contact details, such as title, address, telephone or fax number and e-mail address; if applicable, details regarding your professional activity.
4.2 What are the purposes and the legal bases for the data processing?
We process the aforementioned personal data in order to send you important or relevant information on current topics or events and to draw your attention to GSK Stockmann events relevant to you.
We process this data based on Art. 6 para. 1 lit. f) GDPR (legitimate interest; whereby the legitimate interest is carried out within the scope of necessity for the aforementioned purposes).
If there is no legitimate interest, we will only send you our client and/or legal information and information on events if you have given us your consent (Art. 6 para. 1 lit. a) GDPR).
You can revoke this consent at any time with effect for the future. In this case, we will not send you any further information in the future and we will delete your contact information unless we are entitled or obligated to retain it for other reasons (e.g. working on your case).
5. Do we transfer your personal data to third parties?
Your personal data will not be transferred to third parties for purposes not listed below.
Your personal data will be passed on to third parties insofar as it is necessary as per Art. 6 para. 1 s. 1 lit. b) GDPR for properly processing a client or business relationship with you or as per Art. 6 para. 1 s. 1 lit. f) GDPR for otherwise properly processing your case. This includes, in particular, for working on client matters, transferring data to an opposing party and its representatives (in particular its lawyers) as well as courts and other public authorities for the purpose of corresponding and asserting and defending legal claims. In individual cases it may also be necessary for us to transfer your data to third parties for the purpose of credit assessment.
In addition, contract processors we commission (in particular IT service providers) receive your data insofar as this is necessary for performing their respective services vis-à-vis us. These contract processors process the data exclusively on our behalf and in accordance with our instructions. Above all, contract processors are not permitted to use your personal data for their own purposes. The legal basis for such data processing is Art. 28 GDPR (contract processing) and Art. 6 para. 1 s. 1lit. b) GDPR (performance of contract or precontractual measures).
The third party must use the transferred data exclusively for the aforementioned purposes. With regard to a client relationship, the attorney client privilege remains unaffected.
We will also transfer your data to other offices of GSK Stockmann in Germany for the legitimate interest of internal administrative purposes, as provided in Recital (48) GDPR, and for the legitimate interest of complying with our general know-your-customer, anti-money laundering and conflict of interest management obligations.
6. Do you transfer data to third countries?
We will only transfer your personal data to third countries (outside the European Economic Area – EEA), if and as far as this is necessary to perform the service requested, if it is legally required or if a stakeholder involved is based in a third country or if you have given your consent.
7. How long do we store your personal data?
We process and store your personal data according to our statutory storage obligations. Our obligations under accounting and tax laws (i.e. the Luxembourg Commercial Code, the Money Laundering Act or the Luxembourg law dated 27 November 1933 on the recovery of direct contributions, taxes on alcohol and social security contributions, as amended, the Luxembourg general tax law dated 22 May 1931 (Abgabenordnung vom 22. Mai 1931), as amended or the Luxembourg law dated 12 February 1979 on value added tax, as amended ) impose us to maintain and record the relevant archive of business, accounting and tax data for a duration of ten years, while article 2276 of the Luxembourg Civil Code provides that the statute of limitation for clients’ actions against lawyers is five years.
Your personal data will be deleted after expiry of these legal obligations, unless we are legally obligated to retain them for a longer period of time in accordance with Art. 6 para. 1 s. 1 lit. c).
Otherwise, we will delete your personal data after the purpose for which it was collected has been fulfilled or no longer applies (e.g. after termination of the client or contractual relationship or other business relationship), unless we are entitled or obligated to retain it longer. In these cases, we will not use your data anymore and limit the processing of personal data in this respect.
8. Which rights do you have?
You have the right to request information from us at any time regarding your personal data processed by us. The lawyer client confidentiality obligation remains unaffected. If the legal requirements are met, you also have the right to have your personal data corrected and deleted or their processing restricted as well as the right to object to our processing of your data. Additionally, you also have the right to receive (or demand transmission to another person responsible) an overview of the relevant personal data you made available to us in a structured, commonly used, and machine-readable format.
If you have given consent to the processing of your personal data, you can withdraw it at any time with effect for the future. You can assert these rights among others by contacting us or our Data Protection Officer using the contact information mentioned under section 1. above.
You have the right to file a complaint about the processing of your personal data at a data protection supervisory authority.