Law Firm Staffelbach (“we”, “us”) is a law firm with its registered office in Zurich, Switzerland. Owner of the Law Firm is Dr Oliver Staffelbach, attorney-at-law. In the course of our business activities, we collect and process personal data (the “data”), in particular personal data about our clients, associated persons, counterparties, correspondent law firms, professional and other associations, visitors to our websites, and other entities or, in each case, their contact persons and employees (“you”). In this Privacy Notice we inform you about the processing of these data. In addition to this Privacy Notice, we may provide you with additional information about the processing of your data.
If you disclose data to us about other persons, we assume that you are authorized to do so, that such data is accurate, and that you have ensured that such persons are aware of such disclosure to the extent that an information obligation applies.
2-DATA CONTROLLER AND CONTACT DETAILS
The following person is the data controller, i.e., the party that is primarily responsible to ensure compliance with data protection laws:
Law Firm Staffelbach
Dr Oliver Staffelbach, attorney-at-law
3-COLLECTION AND PROCESSING OF PERSONAL DATA
As part of our operations, we may process different categories of personal data for different purposes. In particular, we process the following personal data from you for the following purposes:
- Communication:We process personal data so that we can communicate with you as well as with third parties, such as parties to proceedings, by e-mail, telephone, letter, or other means (e.g., to answer inquiries, in the context of legal advice and representation as well as pre-contractual measures or execution of contracts). You have the option to refuse or withdraw your consent to any communications at any time. In the context of communication, we process in particular the content and metadata of the communication as well as your contact data, but also image and audio recordings of video or phone calls.
- Pre-contractual measures and conclusion of contracts:With regard to the conclusion of a contract, such as, in particular, a contract for the establishment of an attorney-client relationship with you or your mandator or employer, which also includes checks for any conflicts of interest, we may in particular process your name, contact details, powers of attorney, declarations of consent, information about third parties (e.g., contact persons, family details, as well as counterparties), contract contents, date of conclusion, creditworthiness data, as well as all other data that you provide to us or that we collect from public sources or third parties.
- Administration and performance of contracts: We process personal data in order to comply with our contractual obligations to our clients and other contractual partners (e.g., suppliers, service providers, correspondent law firms, project partners) and, in particular, to provide and claim contractual services. This also includes data processing for the management of mandates (e.g., legal advice to our clients and correspondence) as well as data processing for the enforcement of contracts (debt collection, court proceedings, etc.), accounting and public communication. For this purpose, we process in particular the data that we receive or have collected in the course of initiating and concluding the contract, as well as data that we create in the course of our contractual services or that we collect from public sources or other third parties. Such data may include, in particular, minutes of conversations and consultations, notes, internal and external correspondence, contractual documents, as well as other mandate-related information, documents, transcripts of records, invoices, and financial and payment information. In this context, we may also process sensitive personal data.
- Improving our electronic offerings: In order to continuously improve our websites and other electronic offerings (e.g., newsletters), we collect data about your behavior and preferences by analyzing, for example, how you navigate through our websites and how you interact with our social media profiles and other electronic offerings.
- Security purposes and access controls:We process personal data to ensure and continuously improve the appropriate security of our IT and other infrastructure. This includes, for example, monitoring and controlling electronic access to our IT systems as well as physical access to our premises, analyzing and testing our IT infrastructures, performing system and error checks, and creating backup copies. For documentation and security purposes we also maintain access logs or visitor lists for our premises.
- Compliance with laws, directives and recommendations of authorities as well as internal regulations (“Compliance”):We process personal data to comply with applicable domestic and foreign law, self-regulations, certifications, and industry standards.
- Other purposes:Other purposes include, for example, training and educational purposes and administrative purposes (e.g., accounting). We may listen to or record telephone or video conferences for purposes of training, evidence, and quality assurance. In such cases, we will notify you separately and you are free to let us know if you do not wish to be recorded or to terminate the communication (if you do not wish your image recorded, please switch off your camera).
4-ORIGIN OF DATA
The data processed by us are of the following origin:
- From you:You provide us with much of the data we process (e.g., in the context of our services, your use of our websites, and your communication with us). In some instances, this data is also transmitted to us automatically by your end device. You are not required to disclose your data, with certain exceptions. You must for example provide us with certain data to conclude contracts with us or use our services. The use of our websites is also impossible without data processing.
- From third parties: We may collect data from publicly accessible sources or receive such data from public authorities, your employer or mandator who has a business relationship with us or otherwise deals with us, as well as from other third parties (e.g., clients, counterparties, legal protection insurance companies, credit agencies, address brokers, associations, contractual partners, Internet analysis services). This includes, in particular, the data that we process in the course of initiating, concluding and performing contracts, as well as data from correspondence and other communication with third parties, but also all other categories of data pursuant to Section 3.
5-DISCLOSURE OF DATA TO OTHER PERSONS
In connection with the provisions set forth in Section 3 we transfer your personal data in particular to the categories of recipients listed below. If legally necessary, we obtain your consent for this or will have the competent supervisory authorities release us from our professional obligation of confidentiality.
- Service providers:We work with service providers in Switzerland and abroad who (i) process data on our behalf (e.g., IT providers), (ii) process data in joint responsibility with us or (iii) process data on their own responsibility that they have received from us or collected on our behalf (e.g., IT providers, banks, insurance companies, debt collection companies, credit agencies, list brokers, other law firms or consulting companies).
- Clients and other contractual partners:This mainly includes our clients and our other contractual partners for whom a transfer of your data arises from the contract (e.g., because you work for a contractual partner or they provide services for you). This category of recipients also includes entities with which we cooperate, such as other law firms in Switzerland and abroad or legal protection insurance companies. The recipients are themselves responsible for the processing of the data.
- Authorities and courts:We may disclose personal data to offices, courts, and other authorities in Switzerland and abroad if this is necessary for the fulfillment of our contractual obligations and, in particular, to conduct our mandate, or if we are legally obligated or entitled to do so, or if this appears necessary to protect our interests. The recipients are themselves responsible for the processing of the data.
- Counterparties and persons involved:To the extent necessary for the performance of our contractual obligations, in particular for the management of mandates, we also disclose your personal data to counterparties and other involved persons.
- Other persons:This refers to other cases where the inclusion of third parties results from the purposes according to Section 3. This includes, for example, delivery addressees or payment recipients specified by you, third parties in the context of agency relationships (e.g., your lawyer or your bank) or persons involved in official or legal proceedings. We may also disclose your personal data to our supervisory authority, in particular if this is necessary to release us from our professional obligation of confidentiality. Communications with our competitors, industry organizations, associations, and other bodies may also involve the exchange of your data.
All these categories of recipients may involve third parties, so that your data may also become accessible to them. We can restrict processing by certain third parties, but not by others.
We also allow certain third parties to collect personal data from you on our websites and at events organized by us, also under their own responsibility (e.g., providers of tools that we have embedded on our websites, etc.). These third parties are solely responsible for the data processing insofar as we are not decisively involved in these data collections. If you have any concerns or wish to assert your data protection rights, please contact these third parties directly. We have outlined your rights in Section 7. Information about the activities on our website can be found in Section 8.
6-DISCLOSURE OF DATA TO OTHER PERSONS
We process and store personal data mainly in Switzerland and the European Economic Area (EEA). However, depending on the circumstances personal data may potentially be processed in any country in the world, for instance through subcontractors of our service providers. In the course of our activities for clients, your personal data may also end up in any country in the world.
If a recipient is located in a country without adequate data protection, we contractually obligate the recipient to comply with an adequate level of data protection (for this purpose, we use the revised standard contractual clauses of the European Commission, if necessary with the required adaptations for Switzerland), insofar as the recipient is not already subject to a legally recognized set of rules to ensure data protection. We may also disclose personal data to a country without adequate data protection without entering into a separate contract for this purpose if we can rely on an exception clause. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the performance of a contract that is in your interest requires such disclosure (e.g., if we disclose data to our correspondent law firms), if you have consented, or if it is not possible to obtain your consent within a reasonable period of time and the disclosure is necessary to protect your life or physical integrity or that of a third party, or if it concerns data made publicly available by you, the processing of which you have not objected to. We may also rely on the exception for data from a register provided for by law to which we have been legitimately granted access.
You have certain rights in connection with our data processing. In particular, you may, in accordance with applicable law, request information about the processing of your personal data, have inaccurate personal data rectified, request the deletion of personal data, object to data processing, request the release of certain personal data in a standard electronic format or its transfer to other data controllers.
If you wish to exercise your rights against us, please contact us; our contact details can be found in Section 2. To prevent misuse, we must verify your identity (e.g., with a copy of your ID, if necessary).
Please note that conditions, exceptions, or limitations apply to these rights (e.g., to protect third parties or trade secrets or due to our professional obligation of confidentiality).
8-COOKIES, SIMILAR TECHNOLOGIES AND SOCIAL MEDIA PLUG-INS USED ON OUR WEBSITES
You can set your browser to automatically reject, accept or delete cookies. You can also disable or delete cookies on a case-by-case basis. You can find out how to manage cookies in your browser in the help menu of your browser.
Both the technical data we collect and cookies generally do not contain any personal data. However, personal data that we or third-party providers commissioned by us store about you (e.g., if you have a user account with us or these providers) may be linked to the technical data or to the information stored in and derived from cookies, and thus possibly to your identity.
We may also use social media plug-ins, which are small pieces of software that establish a connection between your visit to our websites and a third-party provider. The social media plug-in tells the third-party provider that you have visited our websites and may send the third-party provider cookies that the third-party provider has previously placed on your web browser. For more information about how these third-party providers use your personal data collected via their social media plug-ins, please refer to their respective privacy notices.
In particular, we currently use offers from the following service providers, whereby their contact details and further information on the individual data processing can be found in the respective privacy notice:
- Google Analytics, Provider: Google Ireland
Some of the third-party providers we use may be located outside of Switzerland. Information on cross-border data transfers can be found under Section 6. Further information on this can be found in the privacy notices of the corresponding service providers.
9-FURTHER TO BE CONSIDERED
We presume that the EU General Data Protection Regulation (“GDPR”) is applicable to data processing by us only in exceptional cases. Nonetheless, if the GDPR should apply to certain data processing on an exceptional basis, this Section 10 shall apply exclusively for the purposes of the GDPR and the data processing subject to it.
In this case, we base the processing of your personal data in particular on the fact that
- it is necessary for the initiation, conclusion and performance of contracts and their administration and enforcement (article 6 para. 1 lit. b GDPR; see also Section 3),
- it is necessary for the protection of legitimate interests of us or of third parties, e.g., for communication with you or third parties, to operate our websites, to improve our electronic offers and registration for certain offers and services, for security purposes, for compliance with the law and internal regulations, for our risk management and corporate governance, and for other purposes such as training and education, administration, evidence and quality assurance, organization, implementation and follow-up of events and for the protection of other legitimate interests (article 6 para. 1 lit. f GDPR; see also Section 3),
- it is required or permitted by law due to our mandate or position under the law of the EU or the EEA or an EU member state (article 6 para. 1 lit. c GDPR) or is necessary to protect your vital interests or those of other natural persons (article 6 para. 1 lit. d GDPR);
- you have separately consented to the processing, e.g., via a corresponding declaration on our websites (article 6 para. 1 lit. a and article 9 para. 2 lit. a GDPR).
We would like to point out that we process your data for as long as it is necessary for our processing purposes (cf. Section 3), the legal retention periods and our legitimate interests, in particular for documentation and evidence purposes, or storage is technically required (e.g. in the case of backups or document management systems). If there are no legal or contractual obligations or technical reasons to the contrary, we generally delete or anonymize your data after the storage or processing period has expired as part of our usual processes and in accordance with our retention policy.
If you do not disclose certain personal data to us, this may mean that it is not possible to provide the related services or conclude a contract. In principle, we indicate which personal data requested by us are mandatory.
If you do not agree with our handling of your rights or data protection, please let us know (see contact details in Section 2). If you are in the EEA, you also have the right to complain to the data protection supervisory authority in your country.
10-AMENDMENTS OF THIS PRIVACY NOTICE
This Privacy Notice is not part of any contract with you. We may amend this Privacy Notice at any time. The version published on this website is the current version.