Privacy and Cookie Statement

www.debrauw.com

This is the privacy statement of De Brauw Blackstone Westbroek N.V., based at Burgerweeshuispad 201, 1076 GR in Amsterdam. In this document we explain how De Brauw uses personal data when you apply for a job, when we provide legal services, when you act as a supplier to De Brauw and when we use contact data in our CRM system.

If you have any further questions about our use of your data, please contact our Data Protection Officer via dpo@debrauw.com. This privacy statement is dated 11 July 2022 and may be changed over time.

Contents

1. Who is responsible for the use of my data?

2. When I visit the website, which data do you collect, for what purpose do you use this data, and for how long do you store it?

3. What cookies do you use, and for what purpose?

4. When I apply for a job at De Brauw, which data do you use, for what purpose do you use this data, and for how long do you store it?

5. When I provide goods or services to De Brauw, which data do you collect, for what purpose do you use this data, and for how long do you store it?

6. What data do you store in your CRM system, for what purpose do you use this data, and for how long do you store it?

7. What data do you store in your CRM system, for what purposes do you use this data, and for how long do you store it?

8. When I visit the offices of De Brauw, which data do you use, for what purpose do you use this data, and for how long do you store it?

9. How do you share my data outside the EU?

10. What happens when you get an order to disclose personal data?

11. To whom can I address my questions and requests for inspection, correction and removal of my personal data, and what other rights do I have?

1. Who is responsible for the use of my data?

De Brauw is the controller when you visit our websites, when we handle job applications, when we use contact data in our CRM system, when you provide us with goods or services and when we provide legal services. In certain exceptional cases – for example, in specific due diligence work – the client is the sole controller and De Brauw is the processor. For example, when you use our client portal Connect, for some applications the client may be the controller and De Brauw the processor. Where applicable, we will then conclude a data processing agreement with the client. If we are the processor, and you contact us with a privacy-related question, we will refer you to the organisation that is the controller.

2. When I visit the website, which data do you use, for what purpose do you use this data, and how long do you store it?

Our website, www.debrauw.com is used to provide general information about our firm our people, and about working at De Brauw.

For clients and local counsel, we also have dedicated websites and apps:

Connect, our client collaboration platform;

ECC, our local counsel platform to help clients and us keep track of costs.

Dawn Raids App (Android / iOS), an app providing practical information during a dawn raid.

For all these websites and site-based apps, we collect usage data: your IP address, the pages you visit, when you visit those pages, and (where applicable) the previous/subsequent site you visit. We use this data for various reasons, including: to generate usage statistics; to provide for (additional) functionality on the sites; to manage the sites by resolving any technical faults or improving accessibility to certain parts of the sites; and safeguarding the security of our IT systems. We retain this data for 12 days, unless stated otherwise. We process this data to ensure that you can visit a functional and secure websites and apps. We use an external hosting provider to serve the websites and apps, except for ECC, which we host ourselves. This means that for those websites where we use a hosting provider, the personal data collected when you visit our website will be transferred to the hosting provider (as a processor). Our Dawn Raids app does not collect any information from your device.

Our client and local counsel websites mentioned above also allow you to create an account. If you decide to create an account, we will collect your email address and your password. We use this data to register you with our website and provide you with access to the website. We use your email address to restore your password and to send you updates about our service. Some of the websites also process further data about you for additional purposes:

For Connect: for some users, we automatically add the organisation you work for. You can add more information to your profile, such as your bio and a picture. By doing so, if you are a Flexpooler, we know for what engagements we could contact you. We make this profile data also available to others on the platform. In addition to the usage data mentioned above, we also collect the access type (Download, View, Print). We retain usage data for 1 year.

For ECC: we use your email address to remind you to submit fee updates. For all our client and local counsel websites, we process this data on the basis of our interest to perform our services as agreed with our client. For Connect, we retain this data for as long as you have an account with us. For ECC, we retain this data for seven years after the data was submitted.

3. What cookies do you use, and for what purpose?

When you visit a website of De Brauw, cookies are placed on your computer. De Brauw uses two types of cookies:

Necessary cookies: De Brauw uses a cookie in order to offer the website’s basic functionality and to remember your cookie settings. This cookie is called _gat. It is stored for 24 months. If the _gat-cookie is used to throttle the request rate, then it is stored for 1 minute.

Cookies for analytics: De Brauw uses cookies to generate anonymous user statistics to make our websites more user-friendly. We do this through Google Analytics, a web analysis service offered by Google Inc. (Google). Google uses aggregated statistical information to provide De Brauw with an understanding of how visitors are using our websites. To protect your privacy, we have configured Google Analytics to only store part our visitors’ IP address and to not share data with others. Google may only provide this information to third parties if it has a statutory duty to do so or to the extent that the third parties are processing the information on Google’s behalf. We have signed a data processor agreement with Google. We use the following cookies for this purpose: _ga and _gid. These are stored for 24 months and 24 hours respectively.

If you want, you can turn off Google Analytics tracking for debrauw.com :

When you visit Connect, we use the following cookies: (i) DWRSESSIONID and cfusi for security purposes, stored during the session, (ii) FK, dwp and rsu for authentication purposes, FK stored for 1 day, dwp and rsu stored for 100 days and (iii) ROUTEID to improve performance, stored during the session.

4. When I apply for a job at De Brauw, which data do you use, for what purpose do you use this data, and for how long do you store it?

When you apply for a role at De Brauw via www.debrauw.com you will be forwarded to the job application platform, (www.connexys.com) which is provided by Connexys B.V. as processor. You will then be asked to provide certain personal information. If you provide us with a link to your LinkedIn profile, we will also add the profile information to your application. You may also be asked to provide further information in follow-up correspondence with us.

We use this data: to assess your suitability for the position, to safeguard our internal control and security, to comply with legal obligations, and to handle requests for reimbursement of your expenses. We also use the information to determine your employment terms. We process this data to ensure that we find suitable candidates for our vacancies, or – in the case of identity documents and certificates of conduct – because we have a legal obligation to do so.

If you have applied to work at De Brauw and you have been hired, the data will be added to your employee file and retained for seven years after you leave De Brauw. If you have been accepted to one of our student events, the data will be stored for two years. If your application has been rejected, the data will be retained for a period of four weeks after our decision, unless you give us permission to use your personal data to inform you of any suitable vacancy or position in the near future. In that case, we will retain your data for one year.

For some job applications, we may ask LTP Advies B.V. as processors to perform an assessment. We will provide some of the information that you submitted to us, (including your name and your CV), to the assessment firm. We store the outcome of the assessment, together with the other data that you have provided to us, and retain this for the same periods as above. We also use The Selection Lab B.V. for assessments and the same process applies.

5. When you provide legal services, which data do you use, for which purpose do you use this data, and for how long do you store it?

De Brauw is generally engaged for investigations, litigation and corporate matters. In the course of providing those services, we process personal data of different categories of people. These include clients, clients’ contact persons, witnesses, experts, counterparties, counterparties’ contact persons, counterparties’ lawyers and advisors, and persons whose personal data forms part of a file. In particular:

When we assist in litigation and perform investigations, we may search for relevant information in files provided by our clients or another party. We may use this information, including personal data, in documents drafted by us as part of our services. For litigation, this includes investigating and preparing court documents. For investigations, this includes reporting to a client on its compliance with applicable rules.

When we are engaged as counsel in corporate matters, we may set up or review a data room, which often contains personal data – for example, about employees. Or we might be asked to provide advice on corporate governance, which often involves analysing documents containing personal data. Sometimes we incorporate that information in documents drafted by us, such as reports or contracts. We do this to effectively provide legal services to our client, including by the preparing of -, and advising on, a transaction involving the acquisition or restructuring of a company.

We also offer notarial services, for example by rendering legal advice, legalising documents, and preparing, handling, passing and storing notarial deeds.

We also process some of the personal data mentioned above for internal knowhow purposes. For example, we store relevant files (after attempting to remove most personal data) and some of our interactions with others, such as, representatives of supervisory authorities attorneys and judges, in our internal knowhow repository, to retrieve this information at a later date.

We do this processing on the basis of our clients’ legitimate interest in establishing, exercising and defending their legal rights, on the basis of our own commercial interest to offer high quality professional services and we may also do this because we are legally obliged to.

We will also use the contact details (name, address, email address) of our client (or their contact person) to send invoices. We do this to enable us to collect fees for our services, as part of the performance of the agreement between us and our client.

Lastly, we store this data to allow for a possible audit by the Netherlands Bar Association or the Royal Dutch Association of Civil-law Notaries. We do this because we are legally obliged to.

We retain our files for 20 years after the matter is closed, unless we are required by law to retain the files for a longer period of no more than 30 years (for example, in certain environmental cases). After this period, we will offer to return original documents which were provided by the client, and we will securely destroy all files. For notarial files, the retention periods prescribed by law apply.

Prior to most engagements, we collect certain information to verify the identity of the client, in order to comply with anti-money laundering legislation and legislation governing Dutch legal professions. De Brauw is obliged to report unusual transactions to the Financial Intelligence Unit (FIU-Nederland). In that case, De Brauw must also provide the information it collected. De Brauw retains this information for a period of five years after the termination of the relationship or the performance of the transaction, unless this information has become part of a matter, in which case it is retained as long as the file of the matter is retained.

Sometimes, we share information processed in the course of providing services, including with lawyers from other firms, other advisors to clients, and courts. But only if this is possible within the boundaries of the strict confidentiality imposed on lawyers and notaries. In some cases, this is because you have given us permission, and in other cases, this is because our clients have a legitimate interest in establishing, exercising or defending their legal rights.

When you digitally sign documents through Docusign in the context of our legal services, we collect your email-address, IP-address and an image of your signature, as well as the time and date on which you used the service. We store this information in the matter related to the document you signed, and use it to document the signing process. We do this because we have a legitimate interest in retaining evidence of the signing. This data is available to all parties on behalf of which this document is signed, who may be located outside of the European Union or the European Economic Area.

6. When I provide goods or services to De Brauw, which data do you use, for what purpose do you use this data, and for how long do you store it?

When you or your employer does business with us, we will collect certain data about you. Often this information, (such as your name, email address and position), is provided by yourself in the course of doing business with us. Part of it might be derived from the order documents: we register what services or goods are provided, and payment details. And, sometimes, we will ask for other information, such as a certificate of conduct. If you are a freelancer, we will also store the contract that we have with you. We use this information to process and handle incoming invoices, to book invoices on matters in order to bill these to clients, to create a balance sheet and an overview of profits and losses, to file tax returns, to create internal financial reports, and to arrange for an audit by an accountant.

The basis for the handling of invoices is the performance of our contract with you, or because we have a legitimate interest in performing the contract with your employer. The basis for booking the incoming invoices to clients is the interest in charging our clients for the services provided. The basis for creating a balance sheet and an overview of profits and losses, and to create internal reports on finances, is because we are legally obliged to do so and because we have an interest in administering our finances. The filing of tax claims and the performing of an audit by account is done because we are legally obliged to do so. We retain invoices we receive and the contracts with suppliers, including contact details of suppliers, for a minimum of seven years.

7. What data do you store in your CRM system, for what purposes do you use this data, and for how long do you store it?

De Brauw uses a company-wide system to keep track of its contacts. For most persons, we store the name, email address, phone number, job title and work history (e.g., for which organisation did someone work for previously, or is now working for). We sometimes also store additional information about someone, such as the industry they work in, gender, mailing language, areas of interest, home address, birthday, a spouse/partner’s name, hobbies, and other personal notes. We also keep track of the mailings we send to this person. For our Alumni, we also note when someone has left the firm. If, in the past, you have been a client of De Brauw, were subscribed to our newsletters, or have worked with De Brauw, your records are probably in this system.

We use this data to address you personally and ensure that persons within the firm communicating with you know your relevant personal details. We also use this data to get a better overview of your network, the company you work for and its market(s). Lastly, we use this to send you newsletters, updates about our firm and invitations to our events. If you are not yet a subscriber, you can subscribe by sending an email to info@debrauw.com. You can always unsubscribe from receiving newsletters or change your preferences by sending an email to the same address. We use your data on the basis of our interest in building and maintaining our network of personal contacts. We delete your data if it has not changed in 36 months and you have not received a mailing via our CRM-system during this period.

8. When I visit the offices of De Brauw, which data do you use, for what purpose do you use this data, and for how long do you store it?

When you come to De Brauw's offices, and use the parking space of the Amsterdam office of De Brauw, you will get a temporary exit pass and we do not process your data for administration of parking spaces. In our Brussels office, when you use our parking space, we provide your name to the firm handling the security for the building, Securitas. We do not store this data ourself. We use this data because we have a legitimate interest to ensure you can use our parking spaces.

When you are visible to security cameras on or outside the premises of our Amsterdam office, your footage is stored for seven days. In our Brussels office, the firm handling our security, Securitas, operates a number of cameras at the entrance, common space and parking space. In London, the building owner, 125 Old Broad Street, operates camera’s at the entrance to the building. We may under circumstances be able to gain access to the footage collected by them. We are furthermore happy to put you in touch with Securitas and 125 Old Broad Street for further information. We use the footage collected via camera’s because we have a legitimate interest to: (i) handle disputes, (ii) protect the safety and health of one or more natural persons, (iii) secure access to the office building, (iv) guard the office, and (v) monitor incidents.

When you have a meeting in our offices, we will register your name, organization, emailaddress, date and time of entry and exit, date and time of the meeting, as well as your contact person at De Brauw. We use this data because we have a legitimate interest to plan and schedule meetings, to register which persons are at De Brauw for which meeting/contact person and to safeguard internal control and security. We retain this data for 3 months after your visit.

9. How do you secure my data?

De Brauw takes office-wide security measures as part of its information security framework. Technical measures include the use of access controls, firewalls, network segmentation, virus scanners, traffic monitoring, penetration tests, and encryption of laptops, phones and USB-sticks. Organisational measures include a clear screen policy, confidentiality provisions, screening of personnel, privacy and security training and awareness, and implementing controls in contracts with suppliers. De Brauw is ISO 27001-certified, which demonstrates that it has implemented its information security measures according to internationally acknowledged standards. De Brauw has a Chief Information Security Officer responsible for the development and implementation of the information security policy.

10. How do you share data outside the EU?

In addition to its headquarters in Amsterdam, De Brauw has offices in Brussels, London, Shanghai, and Singapore. De Brauw has concluded standard contractual arrangements for the international transfer of data with its offices in Shanghai and Singapore (so-called controller-to-controller standard contractual clauses, which can be found here). In circumstances where De Brauw transfers personal data to other parties, in those countries outside of the EU/EEA without an adequacy decision, transfer is usually necessary for the establishment, exercise or defence of legal claims. Otherwise, De Brauw will ensure that it provides appropriate safeguards for this transfer in accordance with the GDPR.

11. What happens when you receive an order to disclose personal data?

While this is unlikely, we may be required to disclose personal data by a court order or to comply with other legal or regulatory requirements. We will do everything we reasonably can to notify the persons involved before we disclose these data, unless we are legally restricted from doing so.

12. To whom can I address my questions and requests for inspection, correction and removal of my personal data, and what other rights do I have?

You are entitled at any time to request inspection, correction, removal or restriction of the processing of your personal data by De Brauw. In addition, in some cases you have the right to receive your data in a structured format (i.e., data portability). Please send your request, as well as other privacy-related questions you might have, to our Data Protection Officer at dpo@debrauw.com. Finally, you also have the right to lodge a complaint with the Dutch Data Protection Authority (the Autoriteit Persoonsgegevens).