Privacy & Personal
Data Protection Policy

This Privacy and Personal Data Protection Policy (hereinafter the “Policy”) aims to set out the purposes, methods, and conditions under which personal data is processed by:

Maître Anna Klein, Lawyer admitted to the Marseille Bar and the New York Bar, sole practitioner, registered under SIREN No. 852 001 445, with a registered office at 57 cours Pierre Puget, 13006 Marseille, France (hereinafter, the “Lawyer”).

The Lawyer may collect and process personal data concerning:

  • Visitors and users (hereinafter, the “Users”) of the website https://annaklein-avocat.com (hereinafter, the “Website”) while browsing;
  • Prospective clients (hereinafter, the “Prospects”);
  • Clients (hereinafter, the “Clients”) as part of the Lawyer’s legal services (hereinafter, the “Services”), in accordance with the engagement letters concluded with Clients, or pursuant to the General Terms and Conditions of Sale (GTCS) available at the following link for online consultations: https://annaklein-avocat.com/wp-content/uploads/CGV-Anna-Klein-juin25-AK.pdf;
  • Partners, peers, service providers, and subcontractors (hereinafter, the “Partners”);
  • Any employees, associates, agents, representatives, trainees, apprentices, temporary workers, contractors, or other persons acting on behalf of a Client, Prospect, or Partner (hereinafter, the “Representatives”).

Together, Users, Prospects, Clients, Partners, and Representatives are referred to as the “Data Subjects.”

The Lawyer is committed to protecting the privacy and personal data of all Data Subjects. She ensures that her data processing practices comply with applicable regulations, including EU Regulation 2016/679 (the “General Data Protection Regulation” or “GDPR”) and the French Data Protection Act of 6 January 1978, as amended.

The Lawyer reserves the right to modify this Policy at any time.
The current version of the Policy is available for consultation directly on the Website at:
https://annaklein-avocat.com/politique-de-confidentialite/

The version applicable to Clients is also provided as an annex when signing a new engagement letter.

  1. Data Controller

The Lawyer acts as the Data Controller of all personal data collected and processed in the context of her Services, under the terms of this Policy.

The Data Controller determines the purposes and means of processing personal data and is responsible for ensuring compliance. The Lawyer also serves as the primary point of contact for Data Subjects wishing to obtain information or exercise their rights.

The Lawyer can be contacted using the details provided in Section 10 – “Contact.”

  1. Collection of Personal Data

Sources of personal data:

  • From Users directly, when contacting the Lawyer via the Website;
  • From Clients (or their Representatives), when requesting Services or booking consultations online;
  • From Prospects (or their Representatives), either directly or through third parties (who have lawfully shared their contact details), or from publicly available business information when contact is justified;
  • From Partners (or their Representatives), either directly, via referrals, or from publicly available professional sources.

Mandatory data:
Certain data are required to access the Lawyer’s Services (e.g., booking consultations, signing engagement letters). Mandatory information is marked with an asterisk (*) or directly requested by the Lawyer. Failure to provide such information may prevent service delivery.

Accuracy of data:
The Lawyer strives to maintain accurate and up-to-date personal data. Data Subjects may request updates or corrections using the contact details in Section 10.

  1. Purposes and Legal Bases of Processing

The Lawyer processes personal data based on the following legal grounds and purposes:

(a) Performance of a contract or pre-contractual measures:

  • Communication with Clients regarding Services;
  • Online consultation booking and quotation;
  • Preparation and execution of engagement letters and Services;
  • File management, billing, payment collection, and handling of claims.

(b) Compliance with legal obligations:

  • Accounting, tax reporting, and record-keeping;
  • Anti-money laundering and anti-fraud compliance;
  • Responding to legal, administrative, or regulatory requests.

(c) Legitimate interests of the Lawyer:

  • Managing Client, Prospect, and Partner relations;
  • Promoting Services (e.g., newsletters, social media communication, events);
  • Protecting the Lawyer’s legal rights and interests;
  • Conducting audits, preventing fraud, and ensuring data security.

(d) Consent:
In exceptional cases, the Lawyer may rely on consent for processing data for purposes not listed above.

  1. Categories of Personal Data

The Lawyer may process:

  • Identification and contact details (name, email, phone, address, occupation);
  • Billing and payment details (bank information, invoices);
  • Professional information (company details, registration numbers, business activities);
  • Any additional information voluntarily provided by the Data Subject.
  1. Recipients of Personal Data

Personal data may be shared with:

  • Authorized employees or trainees of the Lawyer;
  • Service providers and subcontractors assisting in providing Services;
  • Other lawyers or professionals collaborating on a Client’s case;
  • Law enforcement or judicial authorities, if required by law;
  • Administrative or regulatory bodies, when legally mandated;
  • Legal counsel representing the Lawyer;
  • New business partners or successors, subject to Client consent.
  1. Data Security

The Lawyer implements organizational, technical, and physical security measures to protect data from unauthorized access, alteration, disclosure, or destruction.

  1. Hosting and Data Transfers

Data is hosted on Microsoft servers located in France and backed up by VARTEC data centers (France).
Personal data are not generally transferred outside the EEA, except where required to perform a Service (e.g., cross-border matters).
Any such transfers are governed by European Commission Standard Contractual Clauses or conducted to countries with an adequacy decision.

  1. Data Retention

Data are retained only as long as necessary for their processing purposes, plus statutory limitation or archiving periods.

Examples include:

  • Client and Partner data: retained for the duration of the contractual relationship;
  • Promotional purposes: retained up to three (3) years after the end of the relationship or last contact;
  • Invoices: retained for ten (10) years from issuance;
  • Banking details: not retained after payment (except for Partners, kept during the contractual relationship).

After these periods, data are securely deleted or irreversibly anonymized.

  1. Data Subject Rights

Data Subjects may exercise the following rights under the GDPR and French law:

  • Right to information and access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (“right to be forgotten”) (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing (Art. 21 GDPR)
  • Right to withdraw consent (where applicable)
  • Right to define post-mortem instructions (Art. 40-II French Data Protection Act)
  • Right to lodge a complaint with a supervisory authority, particularly the CNIL (3 place de Fontenoy, 75007 Paris – www.cnil.fr)

Before filing a complaint, Data Subjects are encouraged to contact the Lawyer directly.

Requests may be made free of charge, except in the case of excessive or repetitive demands.

  1. Contact

For further information regarding personal data processing or to exercise your rights, please contact:

Maître Anna Klein
57 cours Pierre Puget, 13006 Marseille, France
ak@annaklein-avocat.com
+33 (0)6 17 84 19 99