• Processing and Protection of Personal Data

    Processing and Protection of Personal Data between VULPOI SI ASOCIATII – Societate Civila Profesionala de Avocati, a member of the Bucharest Bar Association, based on Decision of the Bucharest Bar Council no. 914/April 10, 2012, with professional headquarters in Bucharest, Dr. Iacob Felix Street no. 87, 3rd floor, fiscal code RO 30189891, in relation to the Client, hereinafter referred to as Independent Data Controllers

    For the purpose of clarity, the terms defined below will be interpreted as follows:

    • Applicable Legislation – Refers to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), as well as all laws, regulations, and rules issued concerning the processing of Personal Data, and secondary legislation issued for the application of GDPR and any subsequent laws or regulations.

    • “Data Subjects” – Will have the meaning attributed in the applicable data protection legislation.

    • “Personal Data” – Will have the meaning given by the applicable data protection legislation, referring to any information related to an identified or identifiable natural person (Data Subject) (e.g., name, surname, personal identification number, tax registration number, home/residence address, telephone number, email address, image, etc.).

    • “Processing” – Will have the meaning given in the applicable data protection legislation, referring to any operation or set of operations performed on Personal Data, including but not limited to: collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, dissemination, disclosure, alignment or combination, restriction, erasure, or destruction.

    • Operator means:

      • The Client and its representative – Determine the purposes, legal bases, and means of processing, as well as carry out legal procedures to fulfill contractual obligations towards the Client.
      • The Consultant – By virtue of professional and legal obligations, determines its own purposes, legal bases, and means of processing (conditions under which legal assistance services are provided; categories of data processed in delivering legal assistance services, as well as processing means in accordance with Law no. 51/1995 regarding the organization and exercise of the lawyer profession and the Statute of the lawyer profession (“Statute”)).

    • Contract – Refers to the Legal Assistance/Consultancy Services Agreement concluded between the Consultant and the Client as the Beneficiary.

    • Personal Data Breach – Means a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data transmitted, stored, or otherwise processed, or to unauthorized access to such data.

    Regarding the personal data processed by both parties during and for the purpose of providing legal assistance services, the Consultant and Client will each act as Independent Data Controllers. They will process personal data in accordance with the Applicable Legislation.

    Categories of Data Subjects and Categories of Personal Data processed under the Framework Contract may include:

    • Data concerning legal or conventional representatives, natural persons, of the Client who may fall within the scope of the legal services covered by the Legal Assistance Contract, as determined and requested by the Consultant to ensure appropriate legal assistance services.
    • Personal data processed may include only the personal data held by the Client regarding the mentioned categories of Data Subjects that are deemed necessary by the Consultant for the provision of appropriate legal services.

    The Consultant and the Client each establish their own purposes, legal bases, and means of processing personal data. The parties acknowledge and agree that each Party has clear and independently determined purposes and confirm that they will not act as joint controllers or in an operator-authorized person relationship. Additionally, if circumstances arise where either Party acts as an authorized person of the other Party or as a joint controller with the other Party concerning this Contract, the Parties agree to enter into a contract in accordance with the provisions of Art. 26 or Art. 28 of the GDPR, as well as other relevant legal provisions. To avoid any doubt, the two parties establish the following:

    • The Consultant declares that it is a data controller according to Art. 4 point 7 of the GDPR. The Consultant confirms and declares that during the execution of the framework contract, it does not receive instructions from the Beneficiary or its representative regarding the execution of legal assistance services, with the Consultant acting fully independently and in accordance with the specific legislation governing the lawyer profession under Law no. 51/1995 regarding the organization and exercise of the lawyer profession and the Statute of the lawyer profession (“Statute”).

    • The Consultant, as a lawyer, processes personal data in the execution of the Framework Contract concluded with the Client and in fulfilling the legal obligations incumbent upon it according to the specific regulations governing its activity and professional standards. It establishes the purposes and means of processing personal data in accordance with its own terms and conditions for providing legal assistance services as set forth in the specific legal regulations for the lawyer profession, so that, concerning the processing of personal data, it will act as an Independent Data Controller.

    • The Client and its representative process personal data for their own purposes according to the contractual relations concluded with the Data Subjects and other subsequent purposes arising from the contractual relationship with the Data Subjects, and, in this context, will act as an Independent Data Controller concerning personal data processing.

    • The Consultant will use personal data in the ways and for the purposes established in its own personal data protection policies, as regulated by the specific legislation applicable to the lawyer profession.

    In providing services, the Consultant, as an independent provider of legal assistance services, is subject to specific standards, obligations, and legal regulations, including confidentiality and professional secrecy obligations, and through its representatives, declares that it processes personal data in full compliance with the Applicable Legislation (as defined above) and fully respects the legal obligations, including those to inform Data Subjects.

    • The Client declares that it processes personal data in full compliance with the Applicable Legislation (as defined above) and fully respects its legal obligations, including those to inform Data Subjects, and acts as an Independent Controller in relation to the Data Subjects.

    The Parties have the following obligations:

    • Ensure compliance with all obligations as an Independent Controller according to the Applicable Legislation on data protection.
    • Implement, maintain, and apply appropriate technical and organizational measures to meet the legal requirements established by the Applicable Legislation.
    • Store personal data in a manner that prevents breaches of personal data security, particularly through measures ensuring that personal data become unintelligible and inaccessible to unauthorized persons.
    • Take all necessary steps to ensure the appropriate ethical conduct of its personnel who have access to the personal data processed under the Framework Contract, particularly concerning data confidentiality.
    • Comply with all obligations as an Independent Controller under the Applicable Legislation regarding Personal Data Breach. The Consultant will inform the Client within a maximum of 36 hours of any personal data breach identified by the Consultant that affects data transferred by the Client under this potential collaboration.
    • Respond within legal deadlines and without delay to requests from the Supervisory Authority (“ANSPDCP”) or Data Subjects concerning the processing of personal data.
    • Provide mutual assistance in addressing Data Subject rights requests and requests from ANSPDCP, by supplying all necessary information available regarding data processing, within the limits set by legislation.
    • Process personal data for the purpose of executing the legal/consultancy services contract and for subsidiary purposes that arise and are compatible with this purpose.

    Each party, the Consultant and the Client, may process personal data through authorized persons, provided such processing of personal data complies with the requirements and obligations established by the Applicable Legislation, particularly the requirements of Art. 28 of the GDPR.

    In addition to the stipulated obligations, the Operators commit to informing each other about any procedures carried out by ANSPDCP or another competent authority regarding the processing of data covered by this Agreement and any correspondence with these entities (including the content of such correspondence) related to the performance of this Agreement. In the event of any inspection concerning Personal Data held under this Agreement, the targeted Operator must notify the other Operator in writing about the inspection no later than 24 (twenty-four) hours from when it learns about the planned or conducted inspection, at the addresses specified in the framework service contract.

    Both the Consultant and the Client will not transfer any personal data to third countries outside the European Economic Area (“EEA”).

Scroll to Top