Compliance with Data Protection Law
DSM undertakes do everything in its power to comply with the laws and regulations governing the processing of personal data, including, but not limited to, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”) and any other national laws or regulations in force governing the processing of personal data.
Data Protection Officer
DSM has appointed a data protection officer (the “DPO”) who may be contacted at:
Address: 55-57 rue de Merl, L-2146 Luxembourg, Grand Duchy of Luxembourg
Telephone: +352 262 562 1
Who are the Data Subjects?
The Data Subjects (the ʺData Subjectsʺ), the persons whose personal data DSM processes are:
- DSM Website users (the ʺUsersʺ) or any other person who contacts DSM without being a client, particularly in the context of events organised by DSM;
- Persons responding to an employment offer published on DSM’s website or spontaneously sending in an application (the “Applicants“) to the following address: email@example.com;
- DSM’s natural person clients or representatives and/or employees of DSM’s legal person clients (the ʺClientsʺ); and
- Any other natural person the personal data of whom is submitted to DSM by a Data Subject, a partner or an opposing party. The personal data of these other persons is submitted to DSM under the responsibility of the Data Subjects who commit to transmitting it to DSM in compliance with the applicable legal provisions. The data will only be used by DSM if it is necessary in the context of DSM’s providing its legal advisory services.
What is the personal data collected by DSM and why is it used?
- Identification and contact information: Data Subject identification and contact information can be the (i) name and email address indicated in the contact form on the DSM Website (the ʺFormʺ), or (ii) data indicated in the business card provided by the Data Subject or the Data Subject’s email signature. This data will be processed by DSM to respond to Data Subject requests, or in the context of the exercise of its mandate.
- Content of CVs and motivation letters: The data transmitted by the Applicants shall be used in the context of applications and vacant positions. This data concerns the first and last names, birthdate, nationality, contact information (email address, postal address, telephone number), training, professional qualifications, professional experience as well as any other personal data contained in those documents.
- Content of Data Subject messages transmitted whatever the means of communication chosen: Data Subjects may contact DSM via different means of communication, including through social networks, to make their requests. That data will be processed by DSM to respond to Data Subjects’ requests, or in the context of the exercise of its mandate(s).
- Any other personal data provided to DSM in the context of a file open for one of DSM’s Clients depending on what is required: That data, collected directly or indirectly, allows DSM to provide its legal counsel and assistance services in the context of its legal obligations, in particular professional secrecy.
- Content and metadata: These correspond to transactions carried out on the DSM Website, meaning the flow of data generated by the activity of the Users. In principle, this data is not used by DSM as the DSM Website is simply the medium for the exchange of that data. However, certain elements could be used by DSM to allow DSM to better understand how the Users interact with the DSM Website and improve its functioning.
- Technical information: Technical information can be the type of navigator; language, country or time zone parameters; ID and cookie parameters; type of device used for the connection; hardware model and operating system; unique identifiers such as the IDFA (for iOS), MAC address or user id; IP addresses and information on the mobile network; sharing on social networks; or, geolocalisation data. DSM never uses the localisation given by GPS of the User’s device without having received the User’s explicit consent. This data is used to ensure optimal use of the DSM Website and personalize the DSM Website to each User (for example, by adapting the language in which the DSM Website is displayed or proposing the mobile version of the DSM Website if the connection comes from a mobile telephone).
Source of personal data
We obtain certain personal data directly from the Data Subjects. However, in particular in the context of the exercise of our mandate, we may obtain personal data indirectly. This would be the case, for example, when verifying the information transmitted in relation to our anti-money laundering and counter terrorist financing obligations, when the Data Subject’s opposing party, colleague or partner transmits to us a Data Subject’s personal data, or when our relationship is established through a third party.
Use of social networks
Data Subject personal data collected in the context of social network use may be processed by DSM which has a legitimate interest in using it for marketing and improving its advertising media as well as its image based on voluntary information transmitted or published by the Data Subjects.
DSM is on various social networks and is a joint data controller with them for certain processing, particularly when the logo of the social network used is on the DSM Website.
For more information on personal data processing on the different social networks, Data Subjects may consult the following notices:
DSM may add other social networks at any time.
Web browser cookies
DSM also uses “cookies” to improve the User’s navigation on the Site or to compile aggregate and anonymous statistics enabling the Users to understand the use of the DSM Website and to improve its structure and content.
Certain cookies do not require the Users’ consent because they are purely technical and their use falls in the scope of DSM’s legitimate interest. For the others, DSM collects Users’ consent prior to collecting their personal data via cookies.
How does DSM protect personal data?
DSM puts in place appropriate security measures during the entire personal data life cycle with a view to protecting it against unauthorized access, falsification, personal identification data disclosure or destruction and, as soon as possible, pseudonymises the Data Subject’s personal data.
Data Subjects are responsible for ensuring that all personal data they send to DSM is sent in complete security.
DSM takes reasonable measures to ensure that:
- Your personal data is exact and, if necessary, updated by allowing Data Subjects to modify inexact data at any time; and
Sharing personal information
DSM is the sole recipient of personal data which may only be shared with third parties: (i) in the context of the execution of its mandate and based on strict necessity (for example, the recipients of our correspondence and documents and/or in the context of legal representation before a court); (ii) with all governmental and/or public authorities when required by law; or (iii) who are subcontractors and service providers, solely for the purpose of allowing them to provide their services. DSM has entered into an agreement with each one of its service providers to specify the manner in which they may access and process the personal data. The service providers are subject to a confidentiality commitment and put in place personal data security measures at least equivalent to ours.
DSM does not transfer personal data to any third country nor to any international organisation, except in circumstances of strict necessity for the provision of services, in which case such data transfers (collectively, the ʺTransfer Mechanismsʺ) are based on:
- An Adequacy Decision adopted by the European Commission. The countries covered are referenced in: [https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en];
- Appropriate standard contractual clauses; or
- Any other data transfer mechanism valid under the GDPR, particularly in case of necessity for the performance of a contract between the Data Subject and DSM.
The Transfer Mechanisms used are made available at DSM. Any Data Subject may contact the DPO at the contact information above to obtain more information on this issue.
With Clients’ prior consent, DSM may also transmit their names, as a business reference to: (i) professional directories such as Chambers and Partners, Legal 500, Leaders League, IFLR1000, and/or (ii) it other Clients or prospects in the context of requests for proposals.
A referree Client’s quote may, as applicable, be accompanied by an explanation of the file, pursuant to the information requested by the directory professional and the consent given by the client. In principle, what will be requested is a résumé of the Client’s files with DSM, DSM’s role as legal counsel, the financial volume of the transaction(s) concerned as well as the Client of the contact person information.
Such processing is done solely based on the consent of the Client, who always has the option of withdrawing its consent at any time, with no fee or penalty. However, such withdrawal shall not adversely affect the legitimacy of the data processing done based on consent given prior to its withdrawal.
DSM may send informative emails for similar services provided by DSM (the ʺElectronic Communicationsʺ) to the Data Subjects whose electronic contact information DSM obtained by providing services when those Data Subjects in question did not object to such use when obtaining their email address.
Any other unsolicited electronic communications not covered in the above provisions shall be made exclusively based on the Data Subject’s consent.
The Data Subjects also have the option of objecting to such use of their email address, at no cost and simply by (i) clicking on the “unsubscribe” link in each Electronic Communication, or (ii) directly contacting the DPO at the contact information indicated above.
If a Data Subject objects to receiving Electronic Communications, he/she will receive none as soon as he/she has demonstrated his/her opposition thereto by one of the means identified in the preceding paragraph.
This processing is based on DSM’s legitimate interest in informing on its activity and legal news, thus allowing DSM to continue to provide its services and promote its image vis-à-vis Data Subjects.
Events and conferences
DSM organises events and in-person and online conferences, organised either directly or jointly with other partners (ʺDSM Events”). When a Data Subject participates in the DSM Events, DSM collects personal data concerning him/her such as his/her identity, contact information as well as the data related to his/her presence at the DSM Event and any other personal data or business information that he/she may spontaneously provide to DSM (such as his/her food preferences) to allow the organization and carrying out of the DSM Event. The Data Subject’s contact information may also be used for sending Electronic Communications using the above-mentioned modalities.
This personal data is processed directly by DSM or by its partners organising the DSM Event, as applicable.
This personal data is retained for the period necessary for the organisation and completion of the event, with the exception of the identity, contact information and reference of the DSM Event to which the Data Subject was invited or in which he/she participated. That data will be retained for a period of five (5) years starting from the end of the relationship between the Data Subject and DSM.
The Data Subject shall be informed that he/she may appear in photos or videos taken during his/her participation in the DSM Event (the ʺImagesʺ). The Images may be published in paper or digital format via the usual media channels and will be archived internally to document DSM’s history. The Data Subject may oppose the processing of the Images concerning him/her by contacting the DPO at the above-indicated contact information to allow DSM to take the necessary measures, to the extent possible.
The processing in the context of DSM Events is based on the performance of a contract when the Data Subject is registered for a DSM Event, and DSM’s legitimate interests for the rest, in particular the management of invitations and the organization of an event prior to the Data Subject’s acceptance of the DSM Event invitation. DSM’s legitimate interests are its wish to inform and contribute to the education of individuals as well as to bring together its partners and Clients at DSM Events to promote each of them with respect to common values.
DSM processes the personal data contained in the CVs and motivation letters sent by the Applicants to firstname.lastname@example.org.
The processing of the applications corresponds to the execution of pre-contractual measures.
The Applicants’ personal data will be retained for a maximum of two (2) following the last contact with an Applicant.
- For Data Subjects who are not DSM Clients: five (5) years from the end of the relationship between the Data Subject and DSM, unless for applications for which the period is two (2) years after the last contact with the Applicant;
- For Data Subjects who are DSM Clients: according to the duration set in the engagement letter signed with DSM, or failing that, for a duration of ten (10) years starting from the end of the calendar year during which DSM ended its representation, unless there is a statute of limitations or longer legal retention requirement.
- For all Data Subjects: DSM’s setting up of backups ensures the availability of data as well as access thereto in the required timelines in case of a material or technical incident. The data stored in the backups is retained until it is overwritten by a new backup. It is data ʺout of useʺ which is used for backup purposes only. In the event of erasure of such personal data by a Data Subject, the personal data in the backups will be deleted to the extent technically possible.
DSM commits to deleting and anonymising your personal data by the expiration of the relevant retention period as described above, increased by a few days or weeks, proportionate to the duration indicated above, should that be necessary to ensure the deletion or anonymization of the relevant data in practice, unless there a compelling reason not to should arise (in the context of a dispute, for example).
Data Subject rights
Each Data Subject benefits under the applicable data protection legislation from a right to access, of modification, limitation and opposition to the processing of his/her personal data, a right to erasure and a right to portability of his/her personal data by contacting the DPO at the contact information given above. Those rights may only be exercised within the limits of the relevant texts, in particular of any contractual or legal obligation. Each Data Subject has also a right to lodge a complaint with the Luxembourg supervisory authority, the National Data Protection Commission (Commission nationale pour la protection des données) (https://cnpd.public.lu/en.html).
Last updated: 21 April 2020