Privacy & Personal
Data Protection Policy

This Privacy and Personal Data Protection Policy (hereinafter referred to as the “Policy”) aims to describe the purposes, methods, and conditions under which personal data is processed by: 

 

Anna Klein, attorney-at-law admitted to the Marseille Bar and the New York Bar, operating as a sole practitioner, registered under SIREN number 852 001 445, with her professional office located at 57 cours Pierre Puget, 13006 Marseille (hereinafter referred to as the “Attorney”). 

 

The Attorney may collect and process personal data relating to: 

  • Visitors and users (hereinafter the “Users”) of the website https://annaklein-avocat.com (hereinafter the “Website”) during their browsing; 

  • Prospective clients (hereinafter the “Prospects”); 

  • Clients (hereinafter the “Clients”) within the scope of her legal services (hereinafter the “Services”), where applicable in accordance with the engagement letters entered into with the Client or pursuant to the General Terms and Conditions of Sale relating to the booking of online consultations (hereinafter the “T&Cs”), available at the following link:
    https://annaklein-avocat.com/wp-content/uploads/CGV-Anna-Klein-juin25-AK.pdf

  • Her partners, fellow lawyers, service providers, and subcontractors (hereinafter the “Partners”); 

  • Any employees, partners, agents, representatives, interns, apprentices, temporary workers, service providers, and other individuals acting on behalf of a Client, Prospect, or Partner (hereinafter the “Representatives”). 

 

Together, the Users, Prospects, Clients, and Partners are hereinafter referred to as the “Data Subjects.” 

 

The Attorney is committed to protecting the privacy and personal data of the Data Subjects and ensures that such data is processed in accordance with applicable regulations, in particular Regulation (EU) 2016/679, known as the General Data Protection Regulation (the “GDPR”), and the French Data Protection Act (“Loi Informatique et Libertés”) of January 6, 1978, as amended.  

 

The Attorney reserves the right to amend this Policy at any time.  

 

The applicable version of the Policy is available to Data Subjects on the Website at the following link: https://annaklein-avocat.com/en/privacy-policy/ 

 

The version of the Policy applicable to Clients is provided to them as an appendix to each new engagement letter. 

 

  1. Data Controller 

 

The Attorney acts as the data controller for the personal data collected and processed in connection with the Services, under the conditions set out in this Policy. 

 

The data controller is the natural or legal person who determines the purposes and means of the processing of personal data. The data controller is responsible for such processing and serves as the primary point of contact for Data Subjects wishing to obtain information or exercise their rights. 

 

The Attorney may be contacted using the details provided in Article 10 (“Contact”) of this Policy. 

 

  1. Collection of Personal Data 

 

2.1Source of Personal Data 

 

The Attorney collects personal data concerning Users of the Website directly from the Users, solely in the context of contact initiated by the Users. 

 

The Attorney collects personal data concerning Clients (or their Representatives) directly from the Clients in the course of their use of the Attorney’s Services, in particular when they contact the Attorney or book an online consultation. 

 

The Attorney collects personal data concerning Prospects (or their Representatives): (1) directly from the Prospects; or (2) from third parties who have communicated the Prospects’ contact details to the Attorney for the purpose of recommending the Attorney’s Services, where such third parties have previously informed the Prospects of the potential contact by the Attorney and/or where such contact has been requested by the Prospect from the third party; or (3) through contact details made publicly available by the professional Prospect (for example, business cards or a website), and only where the Prospect has expressed an interest in being contacted by the Attorney. 

 

The Attorney collects personal data concerning Partners (or their Representatives): (1) directly from the Partners; or (2) from third parties who have communicated the Partners’ contact details to the Attorney for the purpose of recommending their services; or (3) through contact details made publicly available by the professional Partner (for example, business cards or a website). 

 

2.2 Mandatory Nature of Data Provision 

 

Certain information is required in order to access the Attorney’s Services, in particular for booking an online consultation or entering into an engagement letter. 

 

Mandatory fields are identified on the Website by an asterisk or are expressly requested by the Attorney. 

 

If such information is not provided, the Attorney may be unable to provide the corresponding Services. 

 

2.3 Accuracy of Data 

 

The Attorney makes reasonable efforts to ensure that the personal data of the Data Subjects is accurate and up to date. Data Subjects may request the update or correction of their personal data by contacting the Attorney using the contact details provided in Article 10 of this Policy. 

 

  1. Purposes and Legal Bases for Processing 

 

The Attorney processes personal data on the following legal bases and for the purposes described below: 

 

In the context of the performance of a contract (engagement letters and/or T&Cs) or pre-contractual measures relating to the use of the Services by Clients: 

 

  • the initial contact and exchanges between the Client and the Attorney in connection with the request for the Attorney’s Services; 

  • the booking of an online consultation; 

  • the preparation of a quote and the definition of the scope of the Attorney’s assignment; 

  • the signing of engagement letters; 

  • the implementation of the contractual relationship in accordance with the engagement letters and/or the General Terms and Conditions; 

  • the management and monitoring of Clients’ files; 

  • exchanges between the Attorney and the Client in the context of the contractual relationship; 

  • the invoicing of the Attorney’s fees; 

  • the collection of the Attorney’s fees; 

  • the management of any complaints. 

 

In the context of the performance of a contract with Partners or the implementation of pre-contractual measures: 

 

  • the initial contact and exchanges between the Attorney and the Partner for the purpose of defining the contractual relationship; 

  • the preparation and signing of quotes, purchase orders, contracts and/or engagement letters; 

  • the performance of the Services and/or the implementation of the contractual relationship with the Partner; 

  • exchanges between the Attorney and the Partner in the context of the contractual relationship; 

  • the invoicing of the Attorney’s fees; 

  • the collection of the Attorney’s fees; 

  • the payment of the Partner’s invoices; 

  • the management of any complaints. 

 

In the context of the Attorney’s legal obligations: 

 

  • to comply with the legal and regulatory obligations to which the Attorney is subject, including, without limitation, tax declarations relating to transactions and the retention of invoices; 

  • to maintain accounting records; 

  • to prevent money laundering, fraud and terrorist financing, and to combat corruption; 

  • to provide training to staff, where applicable, in accordance with the legal obligations to which the Attorney may be subject in her capacity as an employer; 

  • to communicate this, Policy; 

  • to manage requests made by Data Subjects in relation to their rights concerning the protection of personal data; 

  • to respond to any request, order, or injunction issued by a judicial, administrative, or law enforcement authority. 

 

In the context of the Attorney’s legitimate interests, in compliance with the fundamental rights and freedoms of the Data Subjects: 

 

  • contact initiated by the Data Subject with the Attorney using the contact details made available by the Attorney on her Website, on her business cards, or by any other means, or via her social media accounts (the Attorney’s legitimate interest is to promote and improve her Services by responding to requests from Data Subjects); 

  • contact initiated by the Attorney with Partners (the Attorney’s legitimate interest is to improve the quality of her Services); 

  • contact initiated by the Attorney with Prospects who have expressed an interest in the Attorney’s Services (the Attorney’s legitimate interest is to promote her Services and develop her client base); 

  • the management and operation of the Attorney’s social media accounts (the Attorney’s legitimate interest is to promote her Services and develop her Client base); 

  • the sending of newsletters, with the possibility for Data Subjects to unsubscribe (the Attorney’s legitimate interest is to promote her Services and develop her business through marketing strategies); 

  • the collection of reviews and feedback relating to the Attorney’s Services (the Attorney’s legitimate interest is to promote her Services); 

  • the management of relationships with Clients, Prospects, and Partners (the Attorney’s legitimate interest is to promote and improve her Services); 

  • the organization of, registration for, and invitation to events organized by the Attorney or in which the Attorney participates (the Attorney’s legitimate interest is to promote her Services and to develop and maintain relationships with her Clients and Partners); 

  • the management of debt recovery (the Attorney’s legitimate interest is to enforce and exercise her rights); 

  • the detection, investigation, prevention of, or action in relation to illegal activities, abuse, suspected fraud, or situations involving potential threats to the safety or rights of any person or entity, and the use of such data as evidence in the event of legal proceedings (the Attorney’s legitimate interest is to prevent fraud and any prohibited or illegal activity, and to enforce and exercise her rights); 

  • the protection and defense of her rights and interests before the competent courts, tribunals, or authorities (the Attorney’s legitimate interest is to enforce and exercise her rights); 

  • where applicable, to enable the training of members of her team and/or her Partners (the Attorney’s legitimate interest is to maintain a high level of expertise and to enhance the knowledge of her teams); 

  • to enable the performance of compliance and security audits (the Attorney’s legitimate interest is to maintain a high level of regulatory compliance). 

 

With the consent of the Data Subjects: 

 

  • On an exceptional basis, where the Attorney wishes to process personal data for purposes other than those set out above, such processing will be carried out on the basis of the Data Subject’s consent. 

 

  1. Categories of Personal Data 

 

The Attorney collects and processes the following categories of personal data: 

 

  • During exchanges with the Attorney, when booking an online consultation and/or in the context of the implementation of the contractual relationship with the Client or with the Partner: last name, first name, email address, telephone number, professional activity, and any other information voluntarily provided by the Data Subject and/or expressly requested by the Attorney for the performance of the Services. 

 

  • When signing an engagement letter: 

 

  • For individual Clients: last name, first name, date and place of birth, home address, telephone number, email address, copy of an identity document, professional activity. 

 

  • For professional Clients: last name, first name, telephone number and email address of the Client or of their Representatives, professional address (or registered office), SIRET number, K-bis extract, professional activity. 

 

  • When paying for the Services: last name, first name, bank details. 

 

  • When invoicing, managing debt recovery, and archiving invoices: last name, first name, billing address, professional activity. 

 

  • When sending a newsletter: last name, first name, and email address. 

 

  • When paying for and invoicing a Partner’s services: last name, first name, professional address, SIRET number, intra-community VAT number, bank details, professional activity. 

 

  1. Recipients of Personal Data 

 

The personal data collected and processed by the Attorney may be disclosed to: 

 

  • authorized persons among the Attorney’s employees and/or interns, where applicable; 

  • service providers or processors engaged by the Attorney for the purposes set out in Article 3 of this Policy, limited to the data necessary for the performance of such purposes; 

  • any colleague external to the Attorney’s firm involved in the Client’s matter; 

  • law enforcement and judicial authorities, as well as the Attorney’s insurance company, in the event of a breach of the fee agreement or of a legal or regulatory obligation; 

  • administrative or judicial authorities, and more generally public bodies, in the context of compliance with the Attorney’s legal obligations or in order to enable her to protect and defend her rights and interests; 

  • legal advisors and attorneys representing the Attorney’s interests, where necessary; 

  • any new partner in the event of a partnership; 

  • any successor in the event of a transfer of clientele, subject to the Client’s consent. 

 

  1. Security of Personal Data 

 

The Attorney implements organizational, technical, software, and physical security measures to protect personal data against any loss, unauthorized access, disclosure, or alteration. 

 

  1. Hosting and Transfer of Personal Data Outside the European Economic Area 

 

The personal data for which the Attorney is responsible is hosted by Microsoft on servers located in France and backed up in VARTEC data centers in France. 

 

The personal data for which the Attorney is responsible is generally not transferred outside the European Economic Area (hereinafter the “EEA”). 

 

Such personal data may, on an exceptional basis, be transferred to countries outside the EEA where the support provided to a client so requires, including, without limitation: (3) in the event of joint work on a Client’s matter located in the EEA with a Partner located outside the EEA (for example, where the Client carries out international activities); or (2) in the event that the contact details of a Partner located in the EEA are communicated to a Client located outside the EEA. 

 

In order to ensure a level of protection equivalent to that provided within the EEA, a territorial area outside of which GDPR standards do not apply, any transfers of personal data outside the EEA will be governed by contractual clauses based on the European Commission’s standard contractual clauses, unless the non-EEA country concerned is subject to an adequacy decision adopted by the European Commission. 

 

  1. Data Retention 

 

The Attorney retains the personal data of the Data Subjects for the period necessary to achieve the purposes pursued, where applicable extended by statutory archiving, data retention, and limitation periods. Upon expiry of these periods, the personal data will either be deleted or irreversibly anonymized by the Attorney. 

 

The retention period depends on the type of personal data and the purpose of the processing. It is determined on the basis of the following criteria: 

  • the duration of the contractual relationship with the Client or the Partner; 

  • the regularity of the Client’s use of the Attorney’s Services; 

  • the frequency of contact initiated by the Data Subject with the Attorney; 

  • the existence of legal or contractual obligations requiring the Attorney to retain the data; 

  • the existence of a specific retention period provided for under applicable regulations (for example, the obligation to retain invoices for ten (10) years); and 

  • the nature of the personal data, in particular data requiring special attention and safeguards (such as banking information). 

 

In this context, the Attorney applies the following retention periods: 

  • data relating to Clients and Partners is retained for the entire duration of the contractual relationship; 

  • data is also retained for promotional purposes for a maximum period of three (3) years following the end of the contractual relationship with the Attorney or the last interaction or contact with the Attorney, unless the right to object has been exercised earlier; 

  • after this period, the data will be deleted or irreversibly anonymized by the Attorney, unless such data must be retained for accounting purposes, to comply with legal obligations, for dispute resolution, debt recovery, or fraud prevention; 

  • invoices are retained for a period of ten (10) years from their date of issue; 

  • Clients’ bank details are not retained after payment, while Partners’ bank details are retained for the duration of the contractual relationship; 

  • in the event of a dispute relating to a transaction or the use of the Attorney’s Services, or in the event of a legal dispute, the data relating to the transaction, the Services, or the dispute concerned is retained for the applicable statutory limitation periods. 

 

For further information regarding the retention period of personal data, Data Subjects are invited to contact the Attorney using the contact details provided in Article 10 below. 

 

  1. Rights of Data Subjects 

 

In accordance with the GDPR and applicable French law, Data Subjects have the following rights: 

 

  • the right to information: Data Subjects have the right to obtain from the Attorney information regarding the processing of their personal data. 

 

  • the right of access: Data Subjects have the right to obtain from the Attorney confirmation as to whether their personal data is being processed and, where it is, access to such data as well as information relating to the purposes of the processing (Article 15 GDPR). 

 

  • the right to rectification: Data Subjects have the right to obtain from the Attorney, without undue delay, the rectification of personal data concerning them which they consider to be inaccurate (Article 16 GDPR). 

 

  • the right to erasure: Data Subjects have the right to obtain from the Attorney the erasure of their personal data, under the conditions set out in Article 17 GDPR. This right does not apply where the processing is based on a legal obligation. Where the processing is necessary for the performance of a contract or pre-contractual measures, the Attorney may be unable to perform such contract or measures if the data is erased. 

 

  • the right to restriction of processing: Data Subjects may obtain from the Attorney restriction of the processing of their personal data under the conditions set out in Article 18 GDPR. This right does not apply where the processing is based on a legal obligation. Where the processing is necessary for the performance of a contract or pre-contractual measures, the Attorney may be unable to perform such contract or measures if the processing is restricted. 

 

  • the right to data portability: Data Subjects have the right to receive from the Attorney, or to request that the Attorney transmit to a third party, the personal data concerning them for which the Attorney is responsible, in a structured, commonly used, and machine-readable format (Article 20 GDPR). 

 

  • the right to object: Data Subjects have the right to object at any time, on grounds relating to their situation, to the processing of their personal data, under the conditions set out in Article 21 GDPR. This right does not apply where the processing is based on a legal obligation. Where the processing is necessary for the performance of a contract or pre-contractual measures, the Attorney may be unable to perform such contract or measures if the Data Subject objects to the processing. 

 

  • the right to withdraw consent: Data Subjects have the right to withdraw their consent to the processing of their personal data where such processing is based on consent. The withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal. 

 

  • the right to define post-mortem instructions: Data Subjects may define general or specific post-mortem instructions relating to the retention, erasure, and communication of their personal data after their death (French Data Protection Act No. 78-17 of January 6, 1978, as amended, Article 40 II). 

 

  • the right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, Data Subjects have the right to lodge a complaint with a supervisory authority if they consider that the processing of their personal data constitutes a breach of applicable data protection regulations (Article 77 GDPR). 

In France, the competent supervisory authority is the CNIL, whose registered office is located at 3 Place de Fontenoy, 75007 Paris, and whose website is available at www.cnil.fr

Data Subjects are nevertheless encouraged to contact the Attorney prior to lodging a complaint with a supervisory authority. 

 

Data Subjects may exercise their rights by contacting the Attorney using the contact details provided in Article 10 (“Contact”) below, free of charge, except where requests are manifestly unfounded, excessive, or repetitive, in which case a fee may be charged. 

 

10. Contact 

 

For further information on the processing of their personal data, or to exercise their rights, Data Subjects may contact the Attorney using the following details: 

 

Anna Klein, Attorney-at-Law 

57 cours Pierre Puget 

13006 Marseille 

Email: ak@annaklein-avocat.com 

Telephone: +33 (0)6 17 84 19 99