RRP handles personal data for various purposes. We collect this personal data directly from you, for example, by being hired for the provision of legal services, visiting our website rrp.pt, submitting your data to receive our marketing communications or newsletters, or when we receive an application for a professional internship or collaboration. We also collect and process personal data in the context of providing professional services to employers or service providers of the holders. We also obtain your personal data from publicly available sources such as LinkedIn. This privacy notice is intended to cover all the above scenarios.
For this purpose, “Personal Data” means any information relating to a natural person that can be identified, directly or indirectly, by reference to an identifier such as name, identification number, location data or online identifier. Personal data also refer to one or more factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity of an individual.
If you have any questions about the processing of your personal data or wish to contact any RRP officer, please contact us at firstname.lastname@example.org
2. Purposes and legal basis
A) Provision of professional services
As part of providing professional services to our clients, we collect and use personal data in connection with those services as required for their performance. In this context, we also process personal data from people who are not directly our clients (e.g., employees, customers, or suppliers of our clients). For example, if we do a due diligence for a client’s acquisition of an entity, we will obtain personal data about its employees, management, and customers.
Most of the personal data we collect and use to provide our services is provided voluntarily by our clients or collected by us from third party sources at the request of our clients. For this reason, if you are a RRP client, you will know what personal data we collect and use.
We require confirmation from our clients that they have the authority to provide us with personal data related to the execution of the services and that any personal data they provide to us has been processed in accordance with applicable law.
Given the diversity of the services we provide, we process many categories of personal data, such as:
– Personal data of the individual client and his/her family members, including names, addresses and demography, contact information, birth dates and tax identifiers, including social security numbers and e-mail addresses
– Personal data of the clients’ employees, including names, contact information and e-mail addresses
– Personal data contained in documents and files of the client or third parties, such as identification documents (birth certificates, marriage licenses, school documents and diplomas and copies of the passport) and tax declarations: Liability, dates produced and sent, settlement amounts and taxes paid
– Personal data contained in documents drawn up in the framework of the provision of services
– Personal data contained in documents drawn up in the context of the representation of clients to third parties, in particular courts within the framework of the legal obligation
– Immigration data: Work permit questionnaires, work permit status, copy of application form, copy of work permit, copy of visa, copy of passport and other immigration documents
For certain services, we also process special categories of data. For example, the provision of tax reporting services involves the handling of payment details made by our client, by his/her spouse and dependent to trade unions, political parties, for medical treatments or religious charities. Such data are intentionally collected and will be used only when necessary for the provision of the service for which the data were collected, such as the determination of the correct taxation of our client’s income and to claim the correct tax deduction for such payments.
In addition, we also collect and process personal data as part of the processes of acceptance and verification of the good repute of our clients, including independence, anti-money laundering, conflicts, reputation, and financial verifications, and to comply with any other legal or regulatory requirements to which we are subject. These verifications may include identity verification and declaration of the effective beneficiary of the Company and other legal entities, conflict verification, anti-money laundering, proceeds of crime and terrorist financing, politically exposed persons (PEP) verification: persons with prominent roles in government, judicial system, courts, central banks, embassies, armed forces and state-owned enterprises, including their relatives and closely associated persons, adverse media verifications, government sanctions list verifications, and independence controls.
These verifications are made for legal, regulatory, or commercial reasons and need to be repeated during our commitment. As part of these verifications, we are obliged to process special categories of data (for example, to verify whether you are a politically exposed person or to collect information about criminal convictions when it is necessary for the purpose of money laundering laws). It is important that we are provided with all the necessary information and documents, as it affects our ability to provide the services.
We use this information to:
- to provide our services
- in our legitimate interest in managing and maintaining our contractual relations
- in our legitimate interest in marketing and business development actions
- in our legitimate interest in ensuring that services are provided with continuity, consistency, and quality
- to comply with our legal and regulatory obligations, for example in accounting and fiscal matters
- to establish, exercise or defend legal rights
- for historical and statistical purposes.
We process personal data about our suppliers (including subcontractors and individuals associated with our suppliers) to manage our relationship and contract, and to receive services from them.
The personal data we process is generally limited to contact information (name, employer name, telephone number, email and other contact information) and financial information (payment-related information).
In addition, we also use data about our suppliers to check whether there are any conflict of interest or a restriction of audit independence to hire a supplier. Before we contact a new supplier, we also conduct independent audits and other background checks required by law or regulation, for example, adverse means, bribery and corruption, and other financial crime verifications.
We use this information to:
- performance of a contract
- in compliance with a legal or regulatory obligation
- in our legitimate interest in managing payments, fees, and charges, and in collecting and recovering amounts due
- in our legitimate interest in understanding any conflict of interest or challenge in relation to legislation regarding independence
- in our legitimate interest in protecting us from inadvertent manipulation of the proceeds of criminal activities or assistance in any other illegal or fraudulent activity (e.g., terrorism).
C) Business and professional contacts
We process personal data about business and professional contacts, such as past, current, and potential clients and individuals employed by, or associated with, such clients, and other business or professional contacts, such as former employees, consultants, regulators, and journalists. Newsletters, marketing materials, event information or learning opportunities, surveys and event invitations may be sent to these contacts.
The personal data we process is generally limited to contact information (such as name, title, address, email address, telephone, and fax), the name of the employer or organization to which the individual is associated, as well as any user preferences regarding our communications that you have expressed and in responses to invitations and interactions that have existed.
We do not knowingly collect sensitive category data unless it is voluntarily provided to us for a specific purpose (for example, special dietary requirements that reveal your religious affiliation or any food allergy, in the context of participating in one of our events).
Business and professional contact data will be maintained if there is a need for its use and will be deleted when no longer needed or sooner, if required by law.
We use this information to:
- in our legitimate interest in managing the relationship with our business contacts and providing information about RRP, our services and events we organize
- to give expression to the explicit consent received from the contacts concerned.
D) Website users (rrp.pt)
We collect personal information that is voluntarily provided to us through our site, for example, by completing online contact forms, registering to receive our newsletters, participating in surveys, or registering for participation in events that we organize. The information we collect in this context include name, position, hierarchical level or job function, education, company or organization, contact information, including primary email, e-mail address and phone numbers, demographic information, such as industry, country, postal code, preferences and interests, other information relevant to the purposes described, information obtained through event forms, such as food restrictions, information about hotels and flights, status of registration/participation, participation in media interviews, experience of previous events and gender.
We do not knowingly collect data from sensitive categories unless it is voluntarily provided to us for a specific purpose (e.g., food restrictions). Although there are free text boxes on our site, where the free entry of any information is permitted, it is not our intention to process sensitive information, therefore, the provision of this information is not mandatory and should not be done in the free text boxes. By voluntarily providing any sensitive personal information this way, you acknowledge that you agree to the collection and processing of such sensitive information.
This data will be maintained if there is a need for its use and will be deleted when no longer needed or sooner, if required by law.
We use this information to:
- in our legitimate interest in the effective delivery of information and services and the effective and legal operation of our business
- in our legitimate interest in developing and improving our site and your user experience
- to give expression to the explicit consent received from the site visitors concerned.
E) Job applicants
We collect information from and about candidates regarding the professional collaboration opportunities available at RRP. The information we collect includes CV, identification documents, academic records, work history, employment information and references.
We use this personal data to tailor the skills, experience and education provided to the specific opportunities available at RRP. This information is passed on to the people involved in the recruitment process to decide if the candidate should be interviewed. RRP will collect more information if the candidate is invited to the interview phase (or equivalent) and later. Such information includes interview notes, assessment results, feedback and job offer details.
In relation to our recruitment activities, including applications and onboarding, we also collect data from special categories of candidates where we have an obligation to do so, by virtue of a legal enforcement, arising from labor law. For example, where permitted and/or imposed by applicable law, we will collect information about an individual’s disabilities to analyze the diversity of our workforce, with consent. Once professional collaboration is established, the provision of individual information on disabilities will also be used to provide an appropriate working environment. Criminal background checks will also be required for certain candidates to assess their eligibility to work at or for RRP clients.
We collect personal data about applicants from the following sources:
Directly – for example, information that candidates provide when applying for a position directly through the RRP website
Recruitment agencies – for example, when a recruitment agency that has the candidate details contacts us to suggest it as a potential candidate
Through publicly available sources online – for example, professional profiles posted online (including on your current employer’s website or on a professional networking site, such as LinkedIn)
By reference – for example, through a reference from a former employee or employer, or a reference that you have identified
We use this information to:
- to give expression to the applicant’s explicit consent
- in our legitimate interest in attracting, identifying, and seeking employees
- in our legitimate interest in the treatment and management of applications for job opportunities at RRP, including screening and selection of candidates
- in our legitimate interest in hiring and integrating candidates, making an offer to approved candidates and carrying out pre-hiring screening checks
- in compliance with legal or regulatory obligations regarding the recruitment of employees.
F) Email senders to RRP
RRP uses a variety of tools to maintain the security of our IT infrastructure, including e-mails. Examples of such tools are:
- Systems that check incoming e-mail to RRP recipients for suspicious attachments and URLs to prevent malware attacks
- Tools that provide end point threat detection to detect malicious attacks
- Tools that block certain content or websites.
RRP tools to maintain the security of its IT infrastructure analyze messages sent by e-mail to an RRP recipient. RRP persons other than the intended e-mail recipient might read its content.
We use this information to:
- in our legitimate interest in protecting our IT infrastructure from unauthorized access or leakage of information
- in our legitimate interest in analyzing e-mail traffic.
3. Personal data transfer
Certain aspects of our information technology infrastructure are centralized, including information technology services provided to law firms that are part of the EY Global Law network, including RRP. In addition, when our services cover more than one jurisdiction, certain information needs to be accessed by a third party. Therefore, your personal data may be transferred and stored in locations outside the jurisdiction in which you provide it. This includes countries outside the European Economic Area (EEA) and countries with laws that have not necessarily been determined to provide an adequate level of protection for the processing of personal data under EU or other jurisdictions.
We take appropriate security and legal precautions to safeguard the security and integrity of the personal data that are transferred in accordance with applicable European privacy laws.
Your personal data will also be analyzed by service providers who support our internal auxiliary processes (see subcontractors).
4. Service providers
We may transfer or disclose the personal data we collect to service providers (and their branches and affiliates) that are contracted by us to support our internal processes. For example, we hire service providers to provide (a) general office support, including printing, production, and document management, filing and translation services; b) accounting, financial and billing support; (c) IT functions, including system management and security, data storage, business tools, voice mail, and system replication for business continuity / disaster recovery purposes; and (d) conflict checking, risk management, and quality assessment.
It is part of our policy to use only service providers that are required to maintain adequate levels of data protection, security, and confidentiality, and that comply with any legal requirements applicable to the transfer of personal data outside the jurisdiction in which they were originally collected, in particular, the existence of an appropriate transfer mechanism.
5. Disclosure to third parties
RRP may also disclose the personal data it collects and processes:
– where required by applicable law, by decision or order or to fulfill another legally binding obligation
– in the context of a corporate reorganization involving our organization
– if we believe that such disclosure is appropriate to enforce or apply contractual provisions or other agreements, or to protect and defend the rights, property, or security of RRP; or
– where we have consent for this purpose.
We would like to draw particular attention to the fact that, under the terms of applicable law, we have a legal obligation to report suspicious transactions and other activities to the regulatory authorities responsible for combating money laundering, terrorist financing, insider trading or related legislation.
Potential recipients of personal data transferred by RRP include:
– Professional consultants, such as lawyers, tax consultants or auditors
– Insurance Companies
– Tax and customs authorities
– Regulatory bodies and other professional bodies
– Public records of company managers and shareholders
– Courts and other public authorities
– Service providers.
6. Integrity and security of personal data
RRP employs technical and organizational measures to ensure the confidentiality and security of the information it obtains during its activity. Access to such information is limited, and there are policies and procedures created to ensure that information is not lost, misused, and wrongfully disclosed.
We also seek to ensure the maintenance and integrity of the personal data we have, and it is important that you inform us of any updates to your contact details or other personal data so that we have the most up-to-date information about you. Please contact your person of contact at RRP for this purpose, or contact us at email@example.com
7. Retention periods
Our policy is to retain personal data only for the time required for the purposes described in the “Purposes and legal basis” section.
To meet our professional and legal requirements, to establish, exercise or defend our legal rights, and for archive and historical purposes we need to retain information for significant periods of time.
8. Rights of data holders
As data holder, you can contact us at any time to make use of your rights. These rights, where applicable, are:
- The right to information on data processing and to obtain a copy of the data processed
- The right to require the rectification of inaccurate data or the completion of incomplete data
- The right to require the erasure of personal data
- The right to require restriction of data processing
- The right to receive personal data relating to the data holder in a structured format, commonly used and machine-readable, and to request the transmission of such data to another person
- The right to oppose data processing
- The right to withdraw the consent previously given to terminate data processing based on it without affecting the lawfulness of the treatment based on consent before withdrawal
- The right to submit a complaint to the competent authority: CNPD – National Data Protection Commission.