Menu

Privacy Policy

FIRSH is committed to protecting the privacy and data of its clients, partners and contacts, including users of its websites and online platforms, contacts made in the context of professional meetings, matters, assignments, partnerships, services and applications. FIRSH therefore adopts and complies with a data-processing policy that is consistent with applicable regulations.

In this respect, FIRSH complies with applicable European personal data protection law, and in particular Regulation (EU) 2016/679 of 27 April 2016, known as the General Data Protection Regulation or GDPR, as well as any national rules adopted pursuant to it and applicable on a subsidiary basis, including Law No. 78-17 of 6 January 1978 on information technology, files and freedoms, as amended.

This Privacy Policy is intended to inform data subjects (“you” or “your”) in a clear, simple and complete manner of how FIRSH, as data controller, collects and uses personal data concerning you, and of the means available to you to control such use and exercise your related rights.

1. When is your personal data collected?

FIRSH may collect your personal data in particular in the context of professional meetings, contractual relationships, partnerships, applications, visits to our premises, your use of our website through the contact form, or the company’s social media pages. No other personal data processing is carried out when browsing the website and FIRSH does not place any cookies.

Declarative personal data is data that you provide via forms, whether online, on paper, or in response to questions asked by lawyers or members of the firm.

FIRSH applies the principles of data minimisation, data protection by design and data protection by default. Accordingly, the information collected is relevant, adequate and limited to what is necessary in light of the purposes for which it is processed.

Mandatory declarative personal data is identified by an asterisk on the collection medium. Outside these cases, you are free to provide all, some or none of your personal data. However, such a decision may limit your access to certain services or products offered by FIRSH, or to other functionalities offered by its website.

2. On what legal basis is your data collected?

Your personal data is processed by FIRSH in the cases permitted by applicable regulations, and in particular in the following circumstances:

  • where you have given free, specific, informed and unambiguous consent to the processing of your personal data, such as subscribing to thematic information, newsletters, registering for an event or joining the laboratory;
  • where the processing is necessary for the performance of a contract or pre-contractual measures taken at your request, such as an application, handling a matter or requiring access to a data room;
  • for compliance with FIRSH’s legal or regulatory obligations, such as anti-fraud obligations;
  • where FIRSH’s legitimate interests may justify processing, such as IT security measures.

Information notices compliant with applicable law are provided in each case.

3. Why is your personal data collected?

Your personal data is collected for specified, explicit and legitimate purposes. Depending on the case, your personal data may be used to:

  • perform legal services under our agreements;
  • communicate with you in the context of matters, assignments, partnerships and the laboratory;
  • participate in satisfaction surveys, including for legal rankings, analyses and statistics, in order to improve our services and our knowledge of clients and prospects;
  • request, obtain or receive information about FIRSH or any of its entities or partners, or about the products and services offered by them;
  • subscribe to and receive thematic information, including legal training, legal monitoring, newsletters, documentation, invitations and activity reports;
  • process your job application;
  • improve your client experience.

4. Who receives your personal data?

Your personal data is confidential. Only persons duly authorised by FIRSH may access it, without prejudice to its possible transmission to bodies responsible for control or inspection missions in accordance with applicable regulations.

All persons with access to your personal data are bound by a confidentiality obligation.

These persons include authorised staff within the firm and its partners, including lawyers, legal professionals and administrative staff. Our service providers may also process personal data strictly necessary for the performance of the services entrusted to them, including assignments, electronic and postal distribution, logistics, transport and catering.

If affiliates or service providers located outside the European Union are used, FIRSH undertakes to verify that appropriate measures have been put in place to ensure that your personal data benefits from an adequate level of protection, including through the European Commission’s standard contractual clauses or binding corporate rules. Note: the reference to the EU-US Privacy Shield in the French text should be reviewed, as that framework has been invalidated and replaced by newer transfer mechanisms.

5. How is the security of your personal data preserved?

FIRSH protects and secures your personal data to ensure its confidentiality and prevent it from being altered, damaged, destroyed or disclosed to unauthorised third parties.

Where disclosure of data to third parties is necessary and authorised, FIRSH ensures that those third parties provide the same level of protection for the relevant data as FIRSH, and requires contractual safeguards so that the data is processed only for the purposes previously accepted by you, with the required confidentiality and security.

FIRSH implements technical and organisational measures to ensure that personal data is stored securely for the time necessary to achieve the purposes pursued, in accordance with applicable law.

Although FIRSH takes reasonable measures to protect your personal data, no transmission or storage technology is entirely infallible.

In accordance with applicable European regulations, in the event of a confirmed personal data breach likely to result in a high risk to the rights and freedoms of data subjects, FIRSH undertakes to notify the competent supervisory authority and, where required by the applicable regulations, the data subjects concerned.

Without prejudice to the foregoing, you are responsible for taking precautions to prevent unauthorised access to your personal data and terminals, including computers, smartphones and tablets.

The company’s websites may provide links to third-party websites that may be of interest to you. FIRSH has no control over the content of those third-party websites or over the personal data protection practices of third parties. FIRSH therefore disclaims any liability for the processing of your personal data by such third parties, which is not governed by this Privacy Policy.

You are responsible for informing yourself about the personal data protection policies of such third parties.

6. How long is your personal data retained?

FIRSH retains your personal data for the time necessary to achieve the purposes pursued, subject to legal archiving options, obligations to retain certain data and/or anonymisation.

In particular, we apply the following retention periods for certain main categories of personal data:

  • Personal data of clients, prospects and business partners: while the user remains active and, at the latest, two years after the last contact with the user.
  • Connection data relating to data rooms: one year after the last connection.
  • Personal data of job applicants: for the time necessary to process the application and, in the event of a negative outcome, two years after the last contact, unless the candidate agrees to a longer period.

7. What rights do you have over your personal data and how can you exercise them?

7.1 Your rights

Subject to the limits provided for by applicable regulations, you have the following rights in relation to your personal data:

  • Right to information on the processing of your personal data

FIRSH endeavours to provide you with concise, transparent, understandable and easily accessible information, in clear and plain language, on the conditions under which your personal data is processed.

  • Right of access, rectification and erasure, or “right to be forgotten”

The right of access allows you to obtain confirmation from FIRSH as to whether or not your personal data is being processed, to obtain information on the conditions of such processing and to receive an electronic copy. For any additional copy, FIRSH may request payment of reasonable fees based on the administrative costs incurred. You also have the right to obtain from FIRSH the rectification of your personal data as soon as possible and, by default, within 30 days.

Subject to exceptions provided by applicable law, such as retention necessary to comply with a legal obligation, you have the right to request that FIRSH erase your personal data as soon as possible where one of the following grounds applies:

  • Your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
  • You wish to withdraw the consent on which the processing was based and there is no other legal basis justifying the processing.
  • You consider, and are able to establish, that your personal data has been unlawfully processed.
  • Your personal data must be erased to comply with a legal obligation.
  • Right to restriction of processing of your personal data

Applicable regulations provide that this right may be invoked in certain cases, in particular:

  • where you dispute the accuracy of your personal data;
  • where you consider, and are able to establish, that the processing of personal data is unlawful but object to erasure and request restriction instead;
  • where FIRSH no longer needs the personal data but it is still required by you for the establishment, exercise or defence of legal claims;
  • where you object to processing based on the legitimate interest of the controller, pending verification as to whether the legitimate grounds pursued by the controller override those of the data subject.
  • Right to data portability

Where processing is based on your consent or on a contract, this right to portability allows you to receive the personal data you have provided to FIRSH in a structured, commonly used format, and to transmit that personal data to another controller without hindrance from FIRSH. Where technically possible, you may request that FIRSH transmit the personal data directly to another controller.

  • Right to withdraw consent to personal data processing

Where FIRSH processes your personal data on the basis of your consent, such consent may be withdrawn at any time using the means provided for this purpose, as described in section 7.2 of this Policy. In accordance with applicable law, withdrawal of consent applies only for the future and does not affect the lawfulness of processing carried out before the withdrawal.

  • Right to lodge a complaint with a supervisory authority

If, despite FIRSH’s efforts to preserve the confidentiality of your personal data, you believe that your rights are not being respected, you have the right to lodge a complaint with a supervisory authority. A list of supervisory authorities is available on the European Commission website.

The supervisory authority in France is the CNIL, 3 Place de Fontenoy, 75007 Paris.

  • Right to decide what happens to your personal data after your death

Finally, you have the right to organise the fate of your personal data after your death by adopting general or specific instructions. FIRSH undertakes to comply with such instructions. In the absence of instructions, FIRSH recognises the possibility for heirs to exercise certain rights, in particular the right of access where necessary for the settlement of the deceased’s estate, and the right to object in order to close the deceased’s user accounts and oppose the processing of their data.

7.2 How to exercise your rights

For any question relating to this Privacy Policy and/or to exercise your rights as described above, you may contact FIRSH electronically or by post by sending a letter accompanied by a copy of an identity document to:

FIRSH
38 rue de Courcelles
75008 Paris

Note: the French text currently refers in one place to 5 rue La Boétie. This address should be updated to 38 rue de Courcelles if that is the current registered/contact address used elsewhere on the website.

If your request is made electronically, the information will also be provided electronically where possible, unless you expressly request otherwise.

If FIRSH does not act on your request, it will inform you of the reasons for not doing so, and you will have the possibility to lodge a complaint with a supervisory authority and/or seek judicial remedy. The supervisory authority in France is the CNIL, 3 Place de Fontenoy, 75007 Paris.

8. Applicable law and competent court

This Privacy Policy is governed by French law. In the event of a dispute and where no amicable agreement can be reached, the competent courts shall be those within the jurisdiction of the Paris Court of Appeal, notwithstanding multiple defendants or third-party proceedings.