Privacy Policy

StoneLex is committed to safeguarding your privacy and ensuring the security of your personal information.

This privacy policy ("Policy") outlines the fundamental principles governing the collection and utilization of information by the law firm StoneLex (contact details can be located in Section 2.1) (“StoneLex”, "Firm," "we," "our," or "us") when you access our websites at www.stonelex.org ("Website"), utilize any of the services we offer ("Services") to you, or engage with us through other means, such as reaching out to us via social media platforms, taking part in our events, submitting a job application, etc. For more comprehensive insights into specific data categories, the legal basis, purposes of processing, and data retention durations, please consult the dedicated privacy notices described in Section 4 of this Policy.

Through interactions on the Website or utilization of our Services, you ("Client" or "you") might be expressly prompted to acknowledge your acceptance of this Policy. Reference in this Police to "your Personal Data" means any information that can be used to directly or indirectly uniquely identify, contact or locate you as a private individual (“Personal Data”).

We carry out the processing of Personal Data as outlined in this Policy, adhering to relevant regulations, including the General Data Protection Regulation (2016/679) ("GDPR") and respective national data protection laws, as applicable to the data controllers identified in Section 2 of this Policy ("Data Protection Law").

Should you reveal any Personal Data pertaining to a third party (such as your employee, management board member, colleague, contracting party, etc.) to us, it is incumbent upon you to direct them to this Policy.

1. POLICY SCOPE

1.1. This Policy outlines the processing of Personal Data in the following contexts:

All matters concerning our clients, former clients, and potential clients;
Newsletters, events, and other marketing endeavors;
The cookies used on our Website;
Fulfillment of our statutory responsibilities related to the GDPR, relevant Data Protection Law, and any applicable laws and regulations, including obligations regarding anti-money laundering ("AML"), know-your-customer ("KYC"), or international and national sanction screening ("Sanctions") procedures.

2. DATA CONTROLLER

The following entity acts as data controller of your Personal Data: Advokatų profesinė bendrija “StoneLex”, a Lithuanian professional partnership of attorneys, address for correspondence Mykolo Marcinkevičiaus 11-5, Vilnius, LT-08433, Lithuania (office is remote), website www.stonelex.org, e-mail info@stonelex.org, phone +370 698 81323 (“StoneLex”).

3. LEGAL GROUNDS FOR PROCESSING YOUR PERSONAL DATA

We process your Personal Data based on:

Your consent;
Legal agreements between us;
Legal obligations that apply to us; and/or
Our legitimate interest in ensuring the quality of our legal services, maintaining security, safeguarding our financial interests, promoting information about our services and events, nurturing business relationships with clients and partners, providing excellent customer service, comprehending and enhancing user interactions on our Websites, and identifying suitable employees.

For specific details regarding the legal grounds and the corresponding Personal Data processed for each purpose of processing mentioned in Section 4 of this Policy, please refer to the provided information.

We confine the processing of your Personal Data to the extent necessary for the purpose for which the data was initially collected. In cases where processing relies on your consent, you possess the right to withdraw your consent for such processing at any time. However, doing so might limit the legal services that can be offered to you, if the data collection and processing are mandated by law.

Access to your Personal Data is restricted to personnel who need to process the data to fulfill their professional obligations and responsibilities toward you as a Client. Your Personal Data is retained and processed only for the duration required to achieve the data processing objectives mentioned above.

We have implemented suitable technical and organizational measures to ensure the secure processing of your Personal Data. Your data will be processed in a manner that guarantees confidentiality and upholds data integrity.

4. CATEGORIES OF PROCESSED PERSONAL DATA, PURPOSES, AND LEGAL BASIS FOR PROCESSING

In accordance with the nature of the Services, the Firm might handle various categories of your Personal Data:

4.1. Legal service-related data

We gather information provided by you or a representative acting on your behalf, along with information obtained independently in the course of delivering professional legal services. When furnishing legal services, we gather and handle diverse classifications of Personal Data. This collection of Personal Data is indispensable for fulfilling our contractual commitments to Clients and is within our legitimate interest as a law firm and legal consultant for Clients and potential Clients.

Upholding our professional duties, we prioritize the preservation of the confidentiality and integrity of Personal Data. We may supplement the Personal Data directly provided by you with information procured from publicly accessible resources and registries. While providing legal services, the ensuing categories of Personal Data are collected and processed:

• Information regarding the Client, representatives acting on behalf of the Client, and transactions. For instance, details for natural persons encompass: name, date of birth, particulars from identification documents, contact information, address, data about affiliated entities such as company name, registration number, authorizations, transaction-related specifics, and any data included in case files—comprising information pertaining to business operations, Client's employees or representatives, opposing parties, and even personal information of others if processed by us within the scope of legal services—this may also entail special (or sensitive) Personal Data.

Purpose: to conduct conflict assessments, provide legal services, and meet our legal obligations for conducting KYC and Sanctions screening.

Legal basis: (i) Legal agreement between us; (ii) Our legal obligations under relevant laws, including AML and Sanctions regulations; (iii) Pursuit of legitimate interests by us and third parties (to ensure quality customer service and solicit feedback from you).

• Data about ultimate beneficial owners and politically exposed persons.

Purpose: to conduct AML/KYC and Sanctions screening procedures.

Legal basis: (i) Our legal obligations under pertinent laws, encompassing AML and Sanctions provisions; (ii) Pursuit of legitimate interests by us and third parties (to safeguard our business).

• Transaction-related information and billing particulars.

Purpose: to generate invoices based on rendered legal services and to fulfill our legal responsibilities.

Legal basis: (i) Legal agreement between us; (ii) Our legal obligations according to relevant laws, including those concerning accounting and tax obligations; (iii) Pursuit of legitimate interests by us and third parties, aimed at timely managing payments and debts.

4.2. Marketing-related data:

We might forward you updates regarding recent advancements linked to the Firm, the range of services we extend, noteworthy legal developments, and forthcoming events—like informative seminars—that could be of relevance to you. This marketing data encompasses communications data via social media platforms such as LinkedIn, Twitter, and Facebook. To furnish you with this information, we could employ your name, email address, and other contact details.

For marketing intentions, we could potentially process the subsequent Personal Data:
• Basic information:

This includes your first and last name, email address, physical address, and marketing preferences ("Basic Data").

Purpose: To send you information about events that might align with your interests (e.g., seminars), forward event invitations, provide marketing updates (such as newsletters and satisfaction surveys), offer seasonal greetings, gather feedback from event attendees, and share legal news relevant to your industry. Additionally, it involves storing documents and materials in backup systems.

Legal basis: In regard to existing clients, this is founded on the legitimate interest of conducting direct marketing, enhancing communication, nurturing client relationships, notifying clients about industry developments, and securely storing materials. For potential clients and others, the legal basis is your consent.

• Data associated with event registration:

This encompasses Basic Data, company name (if representing a legal entity), confirmation of attendance (yours and your partner's), content of confirmation emails, details from feedback forms, etc. ("Registration Data"). If you decline to provide the requested Personal Data for event registration, your registration might not be confirmed.

Purpose: To facilitate event registration and manage attendee lists, gather feedback from event participants, manage event costs, and store materials in backup systems.

Legal basis: (i) Legitimate interest (for free events) or contract performance (for paid events) to manage event registration; (ii) Consent obtained during event registration and acceptance of terms in the Information Notice for receiving feedback to enhance event management; (iii) Fulfilling legal obligations for event cost management; and (iv) Legitimate interest in storing materials for security in backup systems.

• Data tied to communications between us:

This involves Basic Data and the content of our communications ("Communication Data").

Purpose: To ensure event registration and attendee list management, alongside storing materials in backup systems.

Legal basis: Legitimate interest in effectively managing events and securely storing materials in backup systems.

• Data linked to event captures:

This includes photographs, videos, and other recordings from events ("Event Data").

Purpose: To document events, publish event captures on our website or social media platforms, grant attendees access to event captures, and store materials in backup systems.

Legal basis: Legitimate interest in documenting events for sharing experiences with attendees through enduring media, generating marketing content, gaining public exposure for events to promote our business, and ensuring sustainability via active marketing. Additionally, the legitimate interests of you and other attendees in accessing event captures, and the secure storage of materials in backup systems.

4.3. Data from cookies:

Cookies are utilized to gather insights into your interaction with our Website. They enhance your experience by making your interaction with the Website smoother and more user-friendly. Typically, the information collected does not include data that could specifically identify you as an individual. Your data will be processed using cookies during the timeframe of your consent. For more comprehensive details, please refer to the StoneLex Cookie Policy.

5. YOUR RIGHTS AS A SUBJECT OF DATA

It is our legal obligation to ensure the accuracy and currency of your Personal Data. We kindly request your cooperation in fulfilling this obligation by promptly informing us of any changes required for the Personal Data we process.

You have the right to exercise the following rights concerning our handling of your Personal Data:

a) Right to access: You have the right to request access to any data that pertains to you as Personal Data. This includes being informed about whether we process your Personal Data, the categories of Personal Data we process, and the purpose behind our data processing.

b) Right to rectification: If any of your Personal Data is incorrect or incomplete, you have the right to request its correction.

c) Right to object: You are entitled to object to specific Personal Data processing, which includes instances like processing for marketing purposes or processing based on legitimate interest.

d) Right to erasure: You can request the deletion of your Personal Data, within certain legal boundaries. This can apply when the data is no longer necessary for the intended purposes, when processing is deemed unlawful, or when compliance with a legal requirement necessitates erasure.

e) Right to data portability: If we process your Personal Data based on your consent or a mutual contractual relationship, you may request to receive this data in a structured, widely used, and machine-readable format. You may also ask for the data to be transmitted to another controller, provided this is technically feasible.

f) Right to withdraw consent: If processing relies on your consent, you can withdraw that consent at any time.

g) Opt-out from marketing: We offer you the choice to opt out of our communications whenever we send you information about the Firm, our events, or other relevant topics. Furthermore, you can opt out at any time by contacting us.

During the provision of legal services to our Clients, there might be scenarios where our legal obligations and the rules set forth by the Bar Association prevent us from divulging or erasing the data we store and process. Additionally, such laws, regulations, or rules might also limit your ability to exercise certain other data subject rights.

Should you have grievances concerning how we handle your Personal Data, or if you seek further information about our data processing practices, please don't hesitate to reach out to us. The contact details can be found in Section 2.1 of this Policy.

You retain the right to file a complaint with a Data Protection Authority ("DPA") if you believe that your Personal Data is being inaccurately processed or that your data subject rights are being violated by us. You can lodge such a complaint with the DPA local to your jurisdiction, which could be the place where the alleged breach of your data subject rights or improper data processing occurred, or where you reside and work.

Here is the list of DPAs in Lithuania: The State Data Protection Inspectorate: https://vdai.lrv.lt/

6. RECIPIENTS OF YOUR PERSONAL DATA

When rendering legal services to our clients, there might be instances where we are compelled to share Personal Data with third parties. This could encompass data transfers within the framework of legal proceedings and litigation, as well as any legal services provided to our Clients. Your data could be shared amongst entities within the StoneLex group, partners, and authorities when legal mandates or regulations require it, or for the purpose of furnishing specific legal services.

Outside the context of legal services, we do engage specific third-party services to ensure the functionality of our services and Website. For these purposes, we need to transmit your Personal Data to these third-party service providers (which can include operational services like auditors) so they can offer their services to us. For instance, your Personal Data might be transmitted to IT service providers, accounting firms, security service providers, or translation services. These third-party service providers are classified as data processors. The scope of Personal Data transferred to these third-party service providers will be minimized to the extent necessary to facilitate their services.

We've taken measures to ensure that all third-party service providers adhering to laws that govern the processing of your Personal Data. The transfer of your Personal Data is structured through data processing agreements or terms that are established between us and these third-party service providers. As data processors, these third-party service providers are obligated to treat your Personal Data with the same level of care and diligence that we maintain. They hold legal accountability to both you and us if they fail to uphold these obligations. Additionally, they are mandated to enact technical and organizational measures to uphold the same level of data protection that we implement in our own data processing endeavors.

Should event captures be publicly disseminated on social media pages administered by the Firm, your Event Data might also undergo processing by third parties. As we possess limited control over such processing, it is advised to acquaint yourself with the privacy notice of the respective third party.

In instances where we utilize social media platforms for accessing statistical data, filtering, and targeted marketing tools related to the visits on our social media pages, the social media service providers will act as joint controllers with the Firm for processing your Personal Data (examples include Facebook, Twitter, and LinkedIn).

Furthermore, we might be obligated to transfer your Personal Data to other recipients, such as local or state authorities, courts, or other controllers (such as other law firms), contingent upon the scope of the services provided or the pertinent statutory requirements. Such transfers of Personal Data might extend beyond the European Union (refer to Section 9 of this Policy for more details).

7. SOURCES OF PERSONAL DATA

While a significant portion of the Personal Data outlined in this Policy is provided directly by you, there are several other sources from which we can collect and receive your Personal Data.

These sources include:

Data Media Created at Our Request: Personal Data could be compiled and received through data media that we have initiated or requested.

Other Sources: We can gather Personal Data from sources beyond your direct submission. This might encompass other Clients, social media platforms, publicly accessible sources, when such collection is necessary for the provision of legal services, marketing purposes, or in the context of a dispute with a Client.

Third-Party Identification and Screening Services: In certain cases, we might engage third-party services to facilitate remote identification and screening. This could be pertinent for Anti-Money Laundering (AML) compliance.

In summary, while you do provide much of your Personal Data directly, we also obtain it from data media, technical measures like CCTV, other sources like fellow Clients or social media, and potentially through third-party identification and screening services, all as required for various aspects of legal services, marketing, and compliance.

8. DATA RETENTION AND RETENTION PERIOD

We will uphold the storage of acquired Personal Data in alignment with the pertinent legislation of the relevant jurisdiction and the guidelines set forth by the Lithuanian Bar Association. The retention of your Personal Data will be limited to the time frame required for the initial purposes of collection and processing.

For alternate purposes, the retention period for your Personal Data is determined by a range of factors, which include:

The nature of the Personal Data;
The presence of disputes, whether involving us or any third party;
Our legal obligations mandated by laws and regulations, dictating the retention of your Personal Data for legitimate reasons.

The retention periods for the specified categories of your personal data are as follows:

Legal Services Data:

Information about the Client, person acting on behalf of the Client, and transaction: Kept for a minimum of 10 years after the termination of the legal relationship with the client. This duration may be extended if any competent institution, in accordance with applicable laws, mandates a longer retention period.
Information about the ultimate beneficial owner and politically exposed persons: Held for up to 8 years following the conclusion of the legal relationship with the Client. This retention period might be extended if required by applicable laws.
Information about the transaction and billing details: Maintained for up to 10 years after the transaction's occurrence.

Marketing Data:

Registration Data: Retained for a maximum of 10 years from the beginning of the subsequent year after the financial year in which the Personal Data were collected.
Communications Data: Held for up to 10 years from the commencement of the year subsequent to the initial communication.
Event Data: Maintained for up to 10 years starting from the beginning of the year following the year when the Personal Data were collected.

For information related to Cookie Data retention, please refer to our Cookie Policy.

Following the retention period specified in this section of the Policy, we will proceed to erase the relevant Personal Data, unless we are legally compelled to maintain the data for an extended period to fulfill obligations stemming from applicable laws or if the data is indispensable for resolving legal disputes.

Please be aware that after the retention period outlined in this section of the Policy concludes or if the legal basis for processing ceases, we possess the right to retain documents and materials containing Personal Data within our backup systems. These backups will be eventually deleted at the conclusion of the backup retention cycle. Throughout this backup duration and beyond the retention period or cessation of the legal basis, we guarantee the presence of suitable safeguards. During this time, the Personal Data within the backup systems are rendered inactive, and they will be subsequently deleted as expeditiously as possible, during our next deletion or destruction cycle.

9. LOCATION OF DATA PROCESSING

We primarily store and process your Personal Data within the European Union (EU). However, there might be instances where your Personal Data needs to be transferred to and stored in a location outside the EU. This could occur, for instance, when a client's assignment involves legal advice from non-EU lawyers, or when data processors operating outside the EU are involved in processing.

In such cases, we take all necessary precautions to ensure that your Personal Data is treated securely and in accordance with applicable Data Protection Laws. We may transfer your Personal Data based on:

An adequacy decision by the European Commission.
Standard data protection clauses formulated by the European Commission.
Standard data protection clauses established by a Data Protection Authority (DPA).
Other suitable safeguards and exceptions as permitted by Data Protection Laws.

Moreover, if we transfer data to any third country not covered by an EU adequacy decision, we exercise extreme caution to ensure security. Only the absolutely essential Personal Data required for legal services is transferred. Additionally, this data is transferred in an encrypted manner to render it useless if intercepted during transmission.

For any questions, inquiries, requests, or complaints regarding the processing of your Personal Data, please feel free to contact us at: info@stonelex.org

10. CHANGES TO THE POLICY

This Policy might undergo modifications to align with shifts in our data processing practices and evolving data protection best practices. In the event of any changes to this Policy, the most recent version will be made available on our Website. Moreover, if the changes are substantial in nature, we will notify you accordingly.

Last Updated: 2023-08-01