• 1.1 This Notice describes how we process Personal Data in connection with:
  • 1.1.1 all matters related to our clients, former clients and potential clients;
  • 1.1.2 newsletters, events and other marketing initiatives;
  • 1.1.3 the cookies that are used on our Website;
  • 1.1.4 all of our statutory obligations with respect to the GDPR, any relevant Data Protection Law,and any other laws and regulations that may be applicable, including our obligations with respect to anti-money laundering (“AML”), know-your-customer (“KYC”) or international and national sanction screening (“Sanctions”) procedures;
  • 1.1.5 security matters on the premises of the Firm.

• 2.1 Depending on which law firm COBALT entity you communicate with, one, some or all of the following entities act as data controllers of your Personal Data:
  • 2.1.1Advokaadibüroo COBALT OÜ, an Estonian limited liability company with registry code 10188708, address Pärnu mnt 15, Tallinn, 10141, Estonia, e-mail tallinn@cobalt.legal, phone +372 665 1888 (“COBALT EE”);
  • 2.1.2Zvērinātu advokātu birojs "ZAB COBALT SIA", a Latvian limited liability company with registry code 40203333511, address Marijas iela 13 K-2 – 3, Riga, LV-1050, Latvia, e-mail riga@cobalt.legal, phone +371 6720 1800 (“COBALT LV”);
  • 2.1.3Advokatų profesinė bendrija Norkus ir partneriai COBALT, a Lithuanian partnership, address Lvivo 25-104, Vilnius, LT-09320, Lithuania, e-mail vilnius@cobalt.legal, phone +370 5250 0800 (“COBALT LT”).
• 2.2Depending on the situation, all of the entities referred to in Section 2.1 of this Notice, may be acting as joint or separate data controllers responsible for your Personal Data processed via the Website.

We process your Personal Data on the basis of:

• your consent;
• legal agreement between us;
• legal obligations to which we are subject to; and / or
• our legitimate interest to ensure the quality of our legal services, ensure security, protection of our financial interests, spread information about our services and events, keep business relationships with our clients and partners, provide good customer service, understand and improve how people are using our Websites and find best employees.

Please see the detailed information about the legal basis and Personal Data being processed for each processing purpose referred to in Section 4 of this Notice.

We limit the processing of your Personal Data to the scope of purpose for which the data was collected. In cases where the processing is based on your consent, you have the right to withdraw your consent to such processing at any time. However, it may limit the legal services offered to you, if the collection and processing is required by the law.

Access to your Personal Data will be restricted to personnel who are required to process the Personal Data to fulfil their professional responsibilities and their duties to you as the Client. Your Personal Data is not stored or processed longer than is necessary with respect to the data processing purposes that we have referred to as referred above.

We have taken the appropriate technical and organizational measures to ensure the secure processing of your Personal Data. Your data will be processed in such a manner to ensure confidentiality and data integrity.

• 4.1 Depending on the Services, the Firm may process the following categories of your Personal Data:
  • 4.1.1Legal services data: We collect information that has been provided by you or a person who acts on behalf of you, or information that we acquire independently within the scope of providing professional legal services.
    
    When providing legal services, we collect and process different categories of Personal Data. This collection of Personal Data is necessary to fulfil the contractual obligations that we have towards our Clients, and in our legitimate interest as a law firm and legal counsel to Clients and potential Clients. As per our professional responsibilities, we will take the utmost care to ensure the confidentiality and integrity of the Personal Data. We may supplement the Personal Data that you have provided to us directly with Personal data that has been obtained from publicly available resources and registrars. When providing legal services, we collect and process the following categories of Personal Data:
    • Information about the Client, person acting on behalf of the Client and transaction, for example, identification information - for natural persons: name, date of birth, information about the identification document, contact details, address, information on entities related to Client such as name of the company, registration number, authorizations, information related to the transaction and any information included in the case file, for example, information related to the business activities, employees or representatives of the Client, opposite side, as well as personal data of other persons if processed by us while providing legal services, which can include also special (or sensitive) Personal Data.
      Purpose: to conduct conflict check, provide legal services, and comply with our legal obligations to conduct KYC and Sanctions screening.
      Legal basis: (i) legal agreement between us; (ii) our legal obligations under applicable laws, including AML and Sanctions laws; (iii) legitimate interests pursued by us and third parties (to provide good customer service and obtain your review).
    • Information about the ultimate beneficial owner and politically exposed persons
      Purpose: to conduct AML/KYC and Sanctions screening procedures.
      Legal basis: (i) our legal obligations under applicable laws, including AML and Sanctions laws; (ii) legitimate interests pursued by us and third parties (to protect our business).
    • Information about the transaction and billing information
      Purpose: to issue invoices based on the provided legal services and to comply with our legal obligations.
      Legal basis: (i) legal agreement between us; (ii) our legal obligations under applicable laws, including related to accounting and tax requirements; (iii) legitimate interests pursued by us and third parties to timely administer payments and debts.
  • 4.1.2 Marketing data: We may send you news about the latest developments in connection with the Firm, the scope of services that we can provide to you, as well as information about most relevant legal developments and any upcoming events that may be of interest to you, including educational seminars. Marketing data also comprises communications data through the following social media pages: LinkedIn, Twitter, Facebook. We may use your name, your e-mail address, and other information that can be used to contact you for the sake of providing you with this information.
    
    We may process the following Personal Data for marketing purposes:
    • Basic data: first and last name, e-mail, address, marketing options („Basic Data“).
      Purpose: to forward you information regarding events hosted by us that might be of interest for you (e.g. seminars), forward you the invites to our events, send you marketing announcements (newsletters, satisfaction survey, season’s greetings, collecting feedback from the attendees of the event) and legal news relevant to your field of business, to store documents and materials in backup system.
      Legal basis: In relation to our existing clients – legitimate interest in performing direct marketing, preserving, valuing and enhancing the communication between the parties, maintaining the client relationship and notify the client in relevant developments in the client’s field of business as well as in storing documents and materials in backup systems for ensuring the security of processing activities. In relation to potential clients and others – legal basis is your consent.
    • Data related to event registration: Basic Data, company name (if you are a representative of a legal entity), confirmation about your (and your partner’s) attendance, content of the confirmation e-mail, data in the feedback form, etc. („Registration Data“). If you refuse to provide us the Personal Data we have requested for your registration to the event, your registration may not be confirmed.
      Purpose: to ensure event registration and management of attendance list, collecting feedback from the attendees of the event, for event cost management and storing documents and materials in backup system.
      Legal basis: (i) legitimate interest (in case the event is free of charge) or performance of a contract (in case of paid events) to ensure event registration; (ii) consent you have given upon registering yourself to the event and accepting the terms in the Information Notice regarding receiving feedback to improve the management of events; (iii) performing of a legal obligation for managing event costs and (iv) legitimate interest in storing documents and materials in backup systems for ensuring the security of processing activities.
    • Data related to the communications between us: Basic Data, content of our communications („Communication Data“).
      Purpose: to ensure event registration and management of attendance list and storing documents and materials in backup system.
      Legal basis: legitimate interest in proper management of events and storing documents and materials in backup systems for ensuring the security of processing activities.
    • Data related to capturing events: photos, videos and other recordings of events. („Event Data“).
      Purpose: to capture events, publish the captures of the event on our website or social media pages, provide access to photos and videos captured at the event to all of the attendees and store documents and materials in backup system.
      Legal basis: legitimate interest in capturing the event for the purposes of sharing the experience with the attendees in a more lasting medium and to create marketing materials, legitimate interest in gaining public reach for our events, with a purpose of promoting our business and ensure its sustainability through active marketing, third party’s (yours or of any other attendee’s) legitimate interest in accessing the captures of the event and legitimate interest in storing documents and materials in backup systems for ensuring the security of processing activities.
  • 4.1.3Security data: some of our premises are covered with CCTV system, which may capture your personal image as well as we may collect Personal Data by using other our IT resources. All CCTV footage is captured for the purposes of providing individual’s security, prevention and detection of crime under the respective Firm’s legitimate interest, for ensuring the security of our premises, devices and other assets and storing documents and materials in backup system.Legal basis for processing the Personal Data described in this section is legitimate interest in preventing and detecting crime and violations related to property, and threat to the vital interest of an individual and legitimate interest in storing documents and materials in backup systems for ensuring the security of processing activities.
  • 4.1.4Cookie data: we use cookies to obtain information about your use of our Website. Cookies allow us to provide you with a more streamlined and accessible experience when using the Website. The information generally does not comprise any data that would allow us to individually identify you as a natural person. We will process your data using cookies for the duration of the period in which you have granted us consent. For further information, please see COBALT Cookie Notice.

• We have a legal obligation to ensure that your Personal Data is kept accurate and up to date. We kindly ask you to assist us to comply with this obligation by ensuring that you inform us of any changes that have to be made to any of your Personal Data that we are processing.
  
  You may, at any time, exercise the following rights with respect to our processing of your Personal Data:
  • a)Right to access: You have the right to request access to any data that can be considered your Personal Data. This includes e.g. the right to be informed on whether we process your Personal data, what Personal Data categories are being processed by us, and the purpose of our data processing;
  • b)Right to rectification: You have the right to request that we correct any of your Personal Data if it is inaccurate or incomplete;
  • c)Right to object: You are entitled to object to certain processing of Personal Data, including for example, the processing of your Personal Data for marketing purposes or when we otherwise base our processing of you on legitimate interest;
  • d)Right to erasure: You may also request that your Personal Data be erased subject to certain statutory exceptions if the Personal Data is no longer necessary for the purposes for which it was collected, or if you consider that the processing is unlawful, or if you consider that the Personal Data should be erased to enable us to comply with a legal requirement;
  • e)Right to data portability: If we process your Personal Data based on your consent or on the basis of a mutual contractual relationship, you may request that we provide you with that Personal Data in a structured, commonly used and machine-readable format. Moreover, you may also request that the Personal Data is transmitted to another controller. Bear in mind that the latter can only be done if that is technically feasible;
  • f)Right to withdraw your consent: In cases where the processing is based on your consent, you have the right to withdraw your consent to such processing at any time;
  • g)Opt-out from marketing: We will also give you the opportunity to opt out of our communication with you whenever we send you information about the Firm, the events that we organize or any other information that we believe may be of interest to you. Additionally, you can also opt out at any time by contacting us.
• When providing legal services to our Clients, there may be circumstances where our statutory obligations, as well as the rules of the respective Bar Association of the jurisdiction, prohibit us from disclosing or erasing the data that we store and process. Moreover, such laws, regulations or rules may prevent you from exercising other data subject rights as well.
  
  If you have complaints on how we process your Personal Data, or you would simply like to know more about our data processing activities, feel free to contact us at any time by using the information noted in the Section 2.1 of this Notice.
  
  You do have the right to lodge a complaint with a Data Protection Authority (“DPA”) if you think that your Personal Data is being processed incorrectly or your data subject’s rights have been violated by us. You can lodge a complaint by contacting the DPA that is local to your jurisdiction i.e. the location of the alleged violation of your data subject rights or the inappropriate processing or your data, or the place you live and work.
  
  This is the list of DPAs in the Baltics:
  • The Estonian Data Protection Inspectorate in Estonia: http://www.aki.ee/en;
  • The Data State Inspectorate in Latvia: http://www.dvi.gov.lv/en/;
  • The State Data Protection Inspectorate in Lithuania: https://vdai.lrv.lt/.

When providing legal services to our clients, we may be obliged to transfer Personal Data to third parties. This may include data transfer in the context of legal procedure and litigation, as well as generally any legal services that we offer to our Clients. We may transfer your data among COBALT entities, partners, and authorities when we are obliged by the laws and regulations or for the purposes of providing specific legal services.

However, outside of the provision of legal services, we do use the services of certain third parties to ensure the functionality of our services and the Website. We are required to transfer your Personal Data to these third-party service providers (including operational service providers, such as auditors), so that these third parties would be able to provide us with their services. For example, we may transfer your Personal Data to IT services, accounting, security or translation services providers. These third-party services providers are to be considered data processors. The Personal Data that will be transferred to these third-service providers will be limited to the minimum that is required to ensure the provision of third-party services.

We have ensured that all third-party service providers to whom we transfer your Personal Data will follow our instructions with respect to how they process your Personal Data. The transfer of your Personal Data is regulated by the data processing agreements or data processing terms that exist between us and third-party service providers. Any third-party service providers, as data processors, must ensure that they process your Personal Data with the same level of care and diligence as we do and are legally liable to you and to us if the data processors act contrary to those warranties. Furthermore, these third-party service providers are required to implement technical and organizational measures to ensure an equal level of data protection to the one that we bring to our data processing efforts.

If the captures of the event are made public on social media pages administered by Firm, your Event Data may also be processed by third parties. Firm has no substantial control over such processing, thus please get acquainted with the privacy notice of the respective party.

If we use social media to access to statistical data, filtering and targeted marketing tools related to the social media page’s visits, the social media service providers shall be joint-controllers with Firm for processing your Personal Data (as in case with Facebook, Twitter and LinkedIn).

Additionally, we may be required to transfer your Personal Data to other recipients such as local or state authorities, courts, other controllers (such as other law offices) depending on the scope of the Services or the applicable statutory requirements. We may transfer the Personal Data outside of the EU (please see Section 9 of this Notice).

Finally, certain Personal Data can be exchanged between COBALT law firms in Estonia, Latvia and Lithuania to ensure provision of requested legal services.

Most of your Personal Data described in the Notice is submitted to us by you. However, we may also collect and receive your Personal Data from other COBALT offices in Estonia, Latvia and Lithuania to ensure central administrative systems, provision of requested legal services and/or management of personal data processing.

We can also collect your Personal Data from data media created at our request, CCTV and other technical measures and receive it from other sources such as other Clients, social media, publicly available sources if it is necessary for the provision of legal services, for marketing purposes or in case of a dispute with a Client. We might employ a third party to provide remote identification and screening services for the purposes of AML.

We will store the Personal Data that we have acquired in compliance with the applicable legislation of the relevant jurisdiction, and in conformity with the rules of the Estonian, Latvian and Lithuanian Bar Associations. We will retain your Personal Data for no longer than is necessary for the purposes for which they are collected and processed for.

For other purposes the period for which the Personal Data will be stored depends on number of criteria, including:

• type of personal data;
• whether there is any dispute between us or with any third party;
• our legal obligations under laws and regulations to retain your personal data for valid purposes.

We retain your personal data referred above within the following terms:

• Legal services data:
  • Information about the Client, person acting on behalf of the Client and transaction: at least for 10 years after the termination of legal relationship with the client, unless any competent institution has specified, according to the applicable laws, a longer term for storing obtained information;
  • Information about the ultimate beneficial owner and politically exposed persons: up to 8 years after the termination of legal relationship with the Client, unless any competent institution has specified, according to the applicable laws, a longer term for storing obtained information;
  • Information about the transaction and billing information: up to 10 years after the transaction took place.
• Marketing data:
  • Registration Data will be retained up to 10 years as of the start of the subsequent year following the financial year the Personal Data were collected;
  • Communications Data will be retained for up to 10 years as of the start of the year following the initial communication;
  • Event Data will be retained for up to 10 years as of the start of the year following the year the Personal Data were collected.
• Security data will be retained up to 1 month as of collecting the respective data;
• Cookie data: please see our Cookie Policy.

After the retention period mentioned in this section of this Notice, we will delete respective Personal Data, unless we are obliged to retain the Personal Data for longer period in order to comply with obligations deriving from applicable laws or these data are necessary to resolve legal disputes.

Please note that after the retention period mentioned in this section of this Notice or if the legal basis for processing has ceased, we have the right to retain the documents and materials containing the Personal Data in its backup systems, from which the Personal Data will be deleted in the end of the backup retention cycle. We ensure that during the backup period and after the retention period or ceasing of the legal basis, applicable safeguards are in place, the Personal Data is put beyond use in the backup systems and the Personal Data are subsequently deleted as soon as possible, i.e. on our next deletion/destruction cycle.

We primarily store and process Personal Data within the European Union. Nevertheless, it may at times be necessary that your Personal Data is transferred to and stored at a destination outside the European Union, if the Client’s assignment requires legal advice of non-EU lawyers. It may also be processed by data processors operating outside the EU.

We will take all necessary precautions to ensure that your Personal Data is treated securely and in accordance with the applicable Data Protection Laws. For example, we may transfer your Personal Data based on:

• an adequacy decision by the European Commission;
• standard data protection clauses elaborated by the European Commission;
• standard data protection clauses elaborated by a DPA;
• using other possible safeguards and derogations where it is allowed by the Data Protection Laws.

Furthermore, in case of data transfers to any other third country which is not covered by the EU adequacy decision, we take utmost care about the security and only transfer the absolutely necessary personal data required for the legal services. In addition, we transfer this data in an encrypted manner, so that it would be useless, if intercepted during the transfer.

Feel free to contact us with regards to any questions, inquiries, requests or complaints with respect to the processing of your Personal Data at: privacy@cobalt.legal.

We may make changes to this Notice to reflect changes in our processing methods and the best practices of data protection. If the Notice has been changed in any way, then the newest edition of this Notice will be published on our Website and, when changes are material, we will alert you.

Last updated: 2022-03-31