Privacy Policy
This privacy policy outlines the DA Investment Protection policy regarding personal data, in accordance with the regulations in force in France on personal data, as set out in Law No. 78-17 of January 6, 1978 relating to data processing, files, and freedoms, known as the “Informatique et Libertés” law, and EU Regulation 2016/679 of May 25, 2018 on data protection, known as the “GDPR.”
The purpose of this privacy policy is to inform any client of DA Investment Protection (hereinafter the “Client”):
• of the processing of the Client’s personal data carried out by DA Investment Protection as the data controller (I); and
• of the processing of third-party personal data transmitted by the Client to DA Investment Protection and processed by DA Investment Protection as the data processor (II).
I. Processing of Clients’ Personal Data by DA Investment Protection as Data Controller
1. Categories of Personal Data Collected
In the course of the engagement entrusted to DA Investment Protection by the Client, DA Investment Protection may collect and process personal data concerning Clients, in particular relating to civil status (name, surname, age, postal address, email address), family situation, professional life (position, etc.), and economic and financial information (hereinafter “Client Data”).
2. Contact Details of the Data Controller
The data controller of the Client Data is DA Investment Protection, operating in Paris as an association of lawyers with individual professional liability, with its registered office at 51, rue François 1er, 75008 Paris, France, registered under SIRET No. 793 138 942 000 24.
Telephone: +33 7 45 46 76 56
Fax: +33 7 45 46 76 56
The representative of the data controller can be contacted at: responsable-traitement@bdgs-associes.com
3. Legal Basis and Purposes of Collection
Client Data is collected exclusively in connection with the execution and management of the contract between the Client and DA Investment Protection, in compliance with legal or regulatory obligations (accounting, tax obligations, etc.) applicable to DA Investment Protection, to meet DA Investment Protection’ legitimate interests (monitoring and maintaining the business relationship), or based on the Client’s consent (e.g., invitations to events).
4. Data Processing Actors
4.1. DA Investment Protection Staff
Client Data is intended for members of DA Investment Protection authorized to process it as part of their duties.
4.2. DA Investment Protection Subcontractors
In the course of its activities and service provision, DA Investment Protection uses subcontractors located in the European Union, who process Client Data on behalf of, under the instruction of, and under the authority of DA Investment Protection.
In compliance with the GDPR, DA Investment Protection requires its subcontractors to provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures to ensure the security and confidentiality of Client Data.
4.3. Third Parties
In the course of its activities and service provision, DA Investment Protection may transmit Client Data to other lawyers (for legal document exchanges, litigation, etc.) or to formalists (for carrying out formalities related to registering company directors).
5. Retention and Archiving of Client Data
DA Investment Protection only collects Client Data strictly necessary for the purposes described above and retains it for the period strictly necessary for the intended purpose. Specifically, Client Data is kept in active storage for the duration of the mission entrusted to DA Investment Protection. At the end of this period, the data will either be deleted or archived for the necessary duration (i) to comply with legal and regulatory obligations and/or (ii) to establish, exercise, or defend legal claims.
6. Security of Client Data
DA Investment Protection implements all necessary technical and organizational measures to ensure the confidentiality and security of Client Data and to prevent it from being damaged, deleted, or transmitted to unauthorized third parties.
In the event of a data breach likely to result in a risk to the rights and freedoms of the Client, DA Investment Protection undertakes to notify the competent supervisory authority (CNIL) within 72 hours of becoming aware of it, in accordance with Articles 33 and 34 of the GDPR, and to notify the Client as soon as possible.
7. Client Rights Regarding Personal Data
Under Articles 15 to 22 of the GDPR, and where compatible with the purposes of the processing, the Client has the right to access, rectify, delete, and port their personal data, as well as the right to restrict processing. The Client may also object to processing for legitimate reasons.
The Client can exercise their rights by sending a request to: responsable-traitement@bdgs-associes.com.
DA Investment Protection may refuse to grant these rights for one of the reasons provided for in Articles 15 to 22 of the GDPR, particularly if processing is necessary to comply with a legal or regulatory obligation, or to establish, exercise, or defend legal claims.
DA Investment Protection will inform the Client of measures taken within one (1) month from receipt of the request. This period may be extended by two (2) months depending on complexity and volume of requests.
If DA Investment Protection does not act on the request, it will inform the Client within one (1) month of the reasons for inaction and the possibility of lodging a complaint with a supervisory authority or seeking judicial remedy.
Exercising these rights is free of charge; however, in the case of manifestly unfounded or excessive requests, DA Investment Protection reserves the right to (i) charge a fee considering administrative costs, or (ii) refuse to comply with such requests.
8. Complaints to a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, if the Client believes that their data processing constitutes a violation of the GDPR, they have the right to file a complaint with the competent supervisory authority (CNIL).
II. Processing of Third-Party Personal Data Communicated by the Client to DA Investment Protection as Data Processor
1. In the course of the engagement, the Client may provide DA Investment Protection with third-party personal data (e.g., employees, customers of the Client) relating to civil status (name, surname, age, postal address, email address), family situation, professional life (position, etc.), and economic and financial information (hereinafter “Third-Party Data”).
2. The Client is the data controller of the Third-Party Data. DA Investment Protection, which collects and processes Third-Party Data on behalf of and according to the Client’s instructions, acts as a data processor.
3. As the data controller, the Client declares and guarantees compliance with their obligations regarding Third-Party Data protection, including: (i) ensuring the lawfulness of their processing; (ii) having informed and, where applicable, obtained consent from the individuals concerned; (iii) implementing all appropriate technical and organizational measures to ensure the security and confidentiality of Third-Party Data; (iv) enabling the effective and prompt exercise of the rights of individuals concerned; and (v) establishing an effective procedure in the event of a data breach.
4. The Client remains the owner of the Third-Party Data and is solely responsible for any breach of personal data regulations in the management of this data. DA Investment Protection assumes no liability in this regard. Likewise, as DA Investment Protection has neither knowledge of nor control over the Client’s use of Third-Party Data, it cannot be held liable for any violation of these personal data that the Client may commit.
5. As the processor of Third-Party Data, DA Investment Protection undertakes, in accordance with Article 28 of the GDPR, to:
– process Third-Party Data solely within the scope of the mission entrusted by the Client;
– process Third-Party Data only on documented instructions from the Client, and to inform the Client of any instruction that would be contrary to personal data regulations;
– ensure that persons authorized to process Third-Party Data are bound by confidentiality obligations;
– implement appropriate technical and organizational measures to ensure the security and confidentiality of Third-Party Data;
– apply data protection by design and by default principles for tools, products, applications, or services;
– assist the Client, as far as possible, in fulfilling their obligation to respond to rights requests from individuals concerned;
– notify the Client of any data breach as soon as possible after becoming aware of it;
– assist the Client in ensuring compliance with security, breach notification, and data protection impact assessment obligations;
– make available all necessary information to demonstrate compliance with these obligations and allow for audits or inspections by the Client or a mandated auditor, and contribute to such audits.
6. DA Investment Protection undertakes to ensure that Third-Party Data is stored within the European Union or in a country offering a level of protection equivalent to that of the EU. In the event of a transfer outside the EU to a country without such protection, DA Investment Protection undertakes to use standard contractual clauses approved by the European Commission or implement Binding Corporate Rules. DA Investment Protection may engage another processor for specific processing activities and undertakes to provide the Client with a list of such processors upon request. In all cases, DA Investment Protection will remain fully liable to the Client for any breach by a subsequent processor.
7. DA Investment Protection processes Third-Party Data under the conditions defined above for the entire duration of the mission entrusted by the Client. At the end of the mission, DA Investment Protection undertakes, in accordance with the Client’s instructions, to delete or return the Third-Party Data, unless a legal or regulatory obligation requires its retention.