PRIVACY NOTICE

Last updated: 1/12/2026

1. Who is responsible for your data?

The data controller responsible for processing your personal data is PRAGMA Law S.à r.l. (referred to as “we”, “us”, or “our” or “PRAGMA Law”).
As an independent law firm, we determine the purposes and means of the processing of your data. We take this responsibility seriously and act in accordance with the EU General Data Protection
Regulation (the “GDPR”) and applicable Luxembourg laws.

Contact Details: If you have any questions about privacy or wish to exercise your rights, you can contact our dedicated point of contact:

Post: PRAGMA Law, Rue Charles Darwin 5, L-1433 Luxembourg
Email: contact@pragmalaw.lu

2. What personal data do we collect?

We only collect data that is adequate, relevant, and limited to what is necessary. The type of data depends on your relationship with us:

If you are a Client (or prospective client):
- Identity & Contact: Name, job title, company, address, email, phone number, ID/Passport copy (for KYC purposes).
- Financial Data: VAT number, bank account details, billing history.
- Case Data: Information provided by you or third parties related to your legal matter (which may include sensitive data if relevant to the case, e.g., in employment or litigation matters).

Important Note on Mandatory Data: Providing your Identity and Financial Data is a statutory requirement under Luxembourg Anti-Money Laundering (AML) laws. If you fail to provide this information, we will be legally unable to enter into a client relationship with you or may be forced to terminate an existing relationship.

If you are a Website Visitor:
- Identity & Contact: Name, job title, company, address, email, phone number, ID/Passport copy (for KYC purposes).
- Financial Data: VAT number, bank account details, billing history.
- Case Data: Information provided by you or third parties related to your legal matter (which may include sensitive data if relevant to the case, e.g., in employment or litigation matters).

If you are a Website Visitor:
- Communication Data: Name and email address (if you fill out our contact form).
- Technical Data: IP address, browser type, device information, and approximate location (collected automatically for security and analytical purposes, e.g., via Google Analytics).
If you are a Job Applicant:
- Professional Data: CV, cover letter, education, employment history, and interview notes.

3. Why do we use your data?

We do not process your data randomly. Every use of your personal data corresponds to a specific purpose and a specific legal justification (legal basis).

To provide legal services & manage your file:
- Purpose: Drafting contracts, providing legal advice, representing you in court, and communicating with you.
- Legal Basis: Performance of a contract (e.g. our engagement letter).
To comply with legal obligations:
- Purpose: Performing "Know Your Client" (KYC) & Anti-Money Laundering (AML) checks, and tax/accounting reporting.
- Legal Basis: Legal Obligation.
To manage invoicing & accounting:
- Purpose: Issuing invoices and keeping financial records.
- Legal Basis: Legal Obligation.
To ensure IT security & improve our Website:
- Purpose: Securing our systems (Microsoft 365, Verpex servers), preventing fraud, and analysing website traffic.
- Legal Basis: Legitimate Interest (to protect our business and clients).
To send you our Newsletter & Legal Updates:
- Purpose: Informing you about legal news or firm events.
- Legal Basis: Consent (if you subscribed) OR Legitimate Interest (if you are an existing client and we send you relevant information). Note: You can unsubscribe at any time.
To manage recruitment:
- Purpose: Reviewing CVs and conducting interviews.
- Legal Basis: Pre-contractual measures (at your request).

Automated Decision-Making: we do not use automated decision-making or profiling (algorithms that make decisions about you without human intervention) that produces legal effects concerning you.

4. Where does the data come from?

In most cases, you provide the data directly to us (e.g., during meetings, via email, or by handing over documents).

However, in the context of legal files, we may also obtain data from:

Public sources: Trade and Companies Registers (RCS), Beneficial Owner Registers (RBE), or Press.
Third Parties: Opposing parties, other lawyers, courts, administrative bodies, or banks involved in a transaction or dispute.

5. Who do we share your data with?

We treat your data with the utmost care and confidentiality. We do not sell your data to third parties. However, to provide our services, we may share data with trusted recipients:

Legal stakeholders: In the context of a case, we may need to share information with courts, bailiffs (huissiers), opposing parties, experts, or the Luxembourg Bar Association (Ordre des Avocats).
Service providers: We work with selected vendors who support our operations, including:
- IT &; hosting providers: To store our emails and files securely (e.g., Microsoft, Verpex).
- Software providers: We use secure management software for invoicing and case management.
- Communication tools: To manage our newsletter campaigns.
Public Authorities: If required by law (e.g., for tax declarations or anti-money laundering reporting).

6. Is your data transferred outside the EU?

Our primary servers and main software are hosted within the European Economic Area (the ”EEA”).

However, some of our service providers (such as Microsoft for emails or our newsletter provider) may process data in countries outside the EEA, specifically the United States. In such cases, we ensure that the transfer is compliant with GDPR by relying on:

An adequacy decision from the European Commission (such as the EU-US Data Privacy Framework); or
Standard Contractual Clauses (the “SCCs”) approved by the European Commission, ensuring a high level of protection for your data.

7. How long do we keep your data?

We only retain your personal data for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Client Files: Retained for 10 years after the end of our contractual relationship (to cover the professional liability period in Luxembourg).
Accounting Data: Retained for 10 years (legal obligation).
Recruitment Data (CVs): Retained for maximum 2 years after the last contact, unless a candidate agrees to a longer period for our talent pool.
Newsletter data: Retained until you unsubscribe (via the link in the footer of our emails).

8. What are your rights?

Under GDPR, you have control over your data. You can exercise the following rights at any time, free of charge:

Access: You can ask us if we are processing your data and request a copy of it.
Rectification: You can ask us to correct inaccurate or incomplete data (e.g., if you change your address).
Erasure (“Right to be forgotten”): You can ask us to delete your data.

Note: We may refuse this request if we are legally required to keep the data (e.g., for accounting or liability purposes).

Object: You can object to the processing of your data, specifically if you no longer wish to receive our newsletter.
Restriction: You can ask us to "freeze" the use of your data in specific situations (e.g., while we verify its accuracy).
Portability: In some cases, you can ask to receive your data in a standard format to transfer it to another provider.

How to exercise your rights? Simply send an email to contact(a)pragmalaw.lu. We may ask for proof of identity to ensure we are talking to the right person. We will respond within legal deadlines.

Withdraw Consent: If you have given your consent for a specific processing (e.g., subscribing to our newsletter), you have the right to withdraw that consent at any time. This will not affect the lawfulness of the processing before the withdrawal.

Right to complain: If you feel that we are not respecting your rights, you have the right to lodge a complaint with the Luxembourg Supervisory Authority:

Commission Nationale pour la Protection des Données (the « CNPD »)
Website: https://cnpd.public.lu

9. Security & Updates

We implement appropriate technical and organisational measures (such as encryption, access controls, and secure servers) to protect your data against loss, theft, or unauthorised access.

10. Cookies

We use cookies and similar tracking technologies to improve your browsing experience and analyse our website traffic. For detailed information on the cookies we use and how to manage your preferences, please refer to our Cookie Notice.

11. Governing law & jurisdiction

This Privacy Notice is governed by and construed in accordance with the laws of the Grand Duchy of Luxembourg.

Any dispute relating to the interpretation or execution of this Privacy Notice shall be subject to the exclusive jurisdiction of the courts of Luxembourg-City.

We may update this Privacy Notice from time to time to reflect changes in our practices or the law. The latest version will always be available on this page.