top of page

GDPR Notice

GDPR Notice

Last update: 13 May 2026

 

1. Introduction

Rutsaert Legal (hereinafter "we", "us", or "the Firm") is committed to protecting the personal data of its clients, staff, and other individuals with whom it interacts. This policy explains how we collect, use, store, and protect personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR") and the Luxembourg Act of 1 August 2018 on the organisation of the National Commission for Data Protection (CNPD) and the general data protection framework.
 

2. Identity of the Data Controller

The data controller is:

Rutsaert Legal, a law firm registered with the Luxembourg Bar Association, represented by Mr Quentin Rutsaert

Email: contact@rutsaertlegal.com

3. Personal Data We Collect

 

Depending on the nature of our engagement, we may collect and process the following categories of personal data:

 

3.1 Client Data

  • Full name, address, contact details (email, phone number) of clients, representatives and beneficial owners

  • Identity documents (passport, national identity card)

  • Financial information necessary for billing and anti-money laundering (AML) compliance

  • Information relevant to our legal matters

 

3.2 Staff and Contractor Data

  • Contact and identification details

  • Employment-related information (payroll, HR records, social security)

 

3.3 Third-Party Data

  • Contact details of opposing parties, witnesses, or other persons relevant to a matter, to the extent legally necessary

 

4. Legal Bases for Processing

We process personal data on the following legal bases under Article 6 GDPR:

  • Performance of a contract: to provide legal services pursuant to our engagement letter or mandate.

  • Legal obligation: to comply with applicable laws, including AML/KYC obligations, tax law, and professional rules of the Luxembourg Bar.

  • Legitimate interests: to manage our business operations, prevent fraud, and maintain client relationships, where these interests are not overridden by your rights.

  • Consent: where we rely on specific consent from a relevant person, for example for marketing communications. Such consent can be withdrawn by the relevant person at any time).

 

Where we process special categories of data (e.g., health data, criminal records) as may occasionally be required in litigation or advisory matters, we rely on Article 9(2)(f) GDPR (establishment, exercise or defence of legal claims) or other applicable derogations.

 

5. Purposes of Processing

 

We process personal data for the following purposes:

  • Providing legal advice and representation

  • Client onboarding and identity verification (KYC/AML)

  • Billing and invoicing

  • Compliance with professional obligations and regulatory requirements

  • Managing employment and contractor relationships

  • Improving our services and communicating with clients

 

6. Professional Secrecy

 

As lawyers registered with the Luxembourg Bar, all members of the Firm are bound by strict professional secrecy (secret professionnel) under Luxembourg law. This obligation applies to all information received in the course of our professional activities. Our data protection practices are designed to be fully compatible with and supportive of this obligation.

 

7. Data Retention

 

We retain personal data only for as long as necessary for the purposes for which it was collected, taking into account our legal and professional obligations. In practice:

  • Client files are generally retained for a minimum of 10 years following the conclusion of a matter, in accordance with Luxembourg professional rules and applicable limitation periods.

  • AML/KYC records are retained for at least 5 years following the end of the business relationship, as required by the Luxembourg AML Law of 12 November 2004 (as amended).

  • Accounting records are retained for 10 years under Luxembourg commercial law.

  • Staff records are retained for the duration of employment plus at least five years after the end of employment.

 

8. Sharing of Personal Data

 

We do not sell personal data. We may share data with:

  • Other lawyers, counsel, or experts engaged in your matter, where required

  • Courts, regulators, or public authorities, where legally required

  • Service providers (e.g., IT systems, cloud storage, accounting software) acting as data processors under appropriate data processing agreements

  • The Luxembourg Bar (Barreau / Ordre des Avocats) or other supervisory authorities where required by professional rules

 

Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place (e.g., standard contractual clauses approved by the European Commission).

 

9. Data Security

 

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These include:

  • Password-protected and encrypted systems

  • Secure document storage and management

  • Restricted access on a need-to-know basis

  • Staff awareness of data protection obligations

 

More details about data security is provided in our Information Security Procedure.

 

In the event of a personal data breach that is likely to result in a risk to the  rights and freedoms of any relevant person, we will notify the CNPD within 72 hours and, where required, inform the relevant person without undue delay.

 

10. Rights of relevant persons

 

Subject to applicable conditions and limitations under the GDPR, a relevant person (hereafter “you”, “your”) has the following rights with respect to your personal data:

  • Right of access (Article 15 GDPR): to obtain confirmation of whether we process your data and to receive a copy.

  • Right to rectification (Article 16 GDPR): to have inaccurate data corrected.

  • Right to erasure (Article 17 GDPR): to request deletion, subject to our legal retention obligations.

  • Right to restriction (Article 18 GDPR): to limit processing in certain circumstances.

  • Right to data portability (Article 20 GDPR): to receive your data in a structured, commonly used format.

  • Right to object (Article 21 GDPR): to object to processing based on legitimate interests or for direct marketing.

  • Right to withdraw consent: where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing.

 

To exercise any of these rights, please contact us at the address provided in Section 2. We will respond within one month (extendable by a further two months in complex cases).

 

Please note that some of these rights may be limited where we are required to retain or process data by law, or where your request conflicts with our professional secrecy obligations.

 

11. Right to Lodge a Complaint

 

If you believe that our processing of your personal data infringes the GDPR or applicable Luxembourg law, you have the right to lodge a complaint with the supervisory authority:

 

Commission Nationale pour la Protection des Données (CNPD)

15, Boulevard du Jazz

L-4370 Belvaux

Luxembourg

Website: www.cnpd.lu

Email: info@cnpd.lu

12. Review of the policy

 

This policy will be reviewed annually and updated where necessary to reflect changes in the Firm’s activities, systems, or applicable laws and regulations.

bottom of page