PRIVACY POLICY
OVERVIEW
We value the trust you place in us and we are committed to respecting and protecting your privacy. This Privacy Policy sets out the principles governing the use of personal data (described below) how we collect, share and otherwise process personal data about our clients and prospective clients, contacts for suppliers of goods and services to the Firm, candidates for employment or engagement, and any other individuals (collectively “you” or the “data subject”), as well as the rights that you have in relation to our processing of that personal data.
Unless specifically stated otherwise, Unicorn Legals OÜ, a private limited company established under the laws of Estonia, registry code 16486692, with registered address at Harju county, Tallinn, Nõmme district, Voolu str. 20a, 10918 (hereinafter the “Firm,” “we,” “us,” or “our”) is the data controller in relation to any personal data that the Firm processes about you and is therefore responsible for ensuring that the systems and processes we use are compliant with data protection laws, to the extent applicable to us, including the, but not limited to, European Union General Data Protection Regulation 2016/679.
The term “personal data” means information that (either in isolation or in combination with other information held by the Firm) enables you to be identified as an individual or recognized directly or indirectly.
HOW WE OBTAIN PERSONAL DATA
We may collect personal data from a number of sources, such as:
- directly from you (e.g., when you submit inquiries through contact us form);
- in the course of our relationship with you (e.g., if we provide services to you or in the course of corresponding with you);
- when you visit our unicornlegals.com website (“Website”);
- we may also receive personal data about you from third parties (e.g., courts, law enforcement authorities).
CATEGORIES OF PERSONAL DATA, PURPOSES AND SHARING
We will process specific personal data for clearly defined purposes and will share with a limited number of recipients. Please familiarize yourself carefully with below categories of personal data processing activities:
| |
Data Categories | Client’s or potential client’s name, surname, position, company name, telephone number, address, e-mail address, bank account number, time and duration of services provided, scope of services provided, taxpayer information, invoices issued and the personal data contained therein, other payment information, electronic correspondence history, any other information received/provided to us in the course of providing services |
Lawful basis for data processing | Performance of contractual obligations (Article 6 (1) (b) of the GDPR) Our legitimate interests (Article 6 (1)(f) of the GDPR) Performance of legal obligations (Article 6 (1)(c) of the GDPR) |
Data retention period | Up to 10 years from the moment of the last provision of services to you. For example, the Firm will retain accounting documents for 7 years as of the end of the financial year when a business transaction was recorded in the accounting journals and ledgers. |
With whom do we share this personal data | Depending on the nature of the services we provide, we may share personal data with various entities, including public registries, courts, arbitrators, legal representatives (such as lawyers or advocates) of another party, law enforcement authorities, financial institutions, relevant government agencies and authorities, other law firms, service providers offering support in marketing, accounting, IT, translation, and related services, as well as any other individuals or legal entities to the extent that such data sharing is necessary for the proper provision of our services. |
| |
Data Categories | Candidate’s name, surname, phone number, e-mail address, information about work, professional experience and other information provided in the CV and learned during interviews with a candidate |
Lawful basis for data processing | Consent of the candidate (Article 6 (1) (a) of the GDPR) Our legitimate interest (Article 6 (1)(f) of the GDPR) |
Data processing term | Personal data will be processed throughout the duration of the selection process for the specific position unless the candidate chooses to withdraw their consent. Additionally, if the candidate grants explicit consent, their personal data may be retained for a period of 1 year following the conclusion of the recruitment process for contacting them in case of open positions. |
We receive the personal data from | Directly from you |
With whom do we share this personal data | For service providers (e.g. service providers providing data storage services, recruitment services, etc.) |
| |
Data Categories | Your social network account name, profile picture, comments, likes, content of your requests (inquiry) |
Lawful basis for data processing | Consent (Article 6 (1) (a) of the GDPR) Our legitimate interest (Article 6 (1)(f) of the GDPR) |
Data processing term | Personal data is stored as long as our or your social network account is active, unless you explicitly express a desire to have your data deleted from our social network accounts sooner. |
We receive the personal data from | Directly from you or third parties |
With whom do we share this personal data | For service providers (e.g. service providers providing data storage services, etc.) |
| |
Data Categories | Name, position, name of the organization, phone number, e-mail address. In certain cases and subject to prior notice in writing, we may create audio or visual recordings of these events, take photographs, conduct interviews or surveys, or conduct similar activities at these Events (“Event Data”). In connection with Events, we may process special categories of data (i.e, race, nationality) only with your consent, and allow you to limit use or disclosure as required by law. You may revoke your consent to the processing of a special category of data at any time |
Lawful basis for data processing | Depending on the nature of the specific event, personal data may be processed on the following grounds: Performance of contractual obligations (Article 6 (1) (b) of the GDPR) Consent (Article 6 (1) (a) of the GDPR) Our legitimate interests, such as analyzing participants’ experiences of satisfaction and to allow our event partners to communicate with participants. (Article 6 (1)(f) of the GDPR) |
Data processing term | Basic Event Data: We retain this information for a reasonable period, typically up to 3 years after the event, to facilitate follow-up and analysis. Inferred Special Categories of Data (e.g., Race, Nationality): We process this data only with your consent and retain it only as long as necessary to fulfill the event’s purpose. You can revoke your consent at any time, leading to immediate data deletion. |
We receive the personal data from | Directly from you or third parties |
With whom do we share this personal data | For service providers (e.g. service providers providing data storage services, marketing services, event organization services, etc.) |
| |
Data Categories | Name, position, company name, email address, telephone number, content of the inquiry or request |
Lawful basis for data processing | Consent (Article 6 (1) (a) of the GDPR) |
Data processing term | This personal data is processed for 1 year from the date of receipt of your inquiry |
We receive the personal data from | Directly from you |
With whom do we share this personal data | For service providers (e.g. service providers providing data storage services, etc.) |
DATA TRANSFERS
We transfer your data to the Public authorities and supervisory bodies only if it is required by the law. The firm does not transfer your personal data outside the European Union (EU) or European Economic Area (EEA), nor to such a third country or international organization, the level of data protection of which the European Commission has not considered adequate.
When transferring your personal data outside the EU, we will take all necessary steps to ensure that your personal data is processed securely and in accordance with the safeguards under the GDPR and other applicable laws.
DATA RETENTION
We will only retain your personal data for as long as necessary for the purposes for which that personal data was collected as set out in this Privacy Policy or for longer as required under any applicable legal, regulatory, accounting, or reporting requirements (for example, guidelines established by the Estonian Bar Association on retaining client’s files).
The firm keeps your personal data for the period necessary for the achievement of purposes stated in this notice or until it is required by the law or the We seek not to store unrelated personal data, therefore only relevant information is kept when it is updated (e.g. after clarification, change of information, etc.). Historical information is stored if it is necessary according to the relevant legal acts or to carry out our activities.
DATA SUBJECT RIGHTS
If you are in the EEA and the UK you have the following rights under the GDPR and the UK GDPR:
Access. Subject to certain exceptions, you have the right to request a copy of the personal data we are processing about you, which we will provide to you in electronic form.
Rectification. You have the right to require that any incomplete, inaccurate or outdated personal data that we process about you is rectified.
Deletion. You have the right to request that we delete personal data that we process about you, unless we are required to retain such data in order to comply with a legal obligation or to establish, exercise or defend legal claims.
Restriction. You have the right to request that we restrict our processing of your personal data whilst a complaint is being investigated where:
- you believe such data to be inaccurate;
- our processing is unlawful; or
- we no longer need to process such data for a particular purpose, but where we are not able to delete the data due to a legal or other obligation or because you do not want us to delete it.
Portability. You have the right to request that we transmit the personal data we hold in respect of you to another data controller. At your request, we’ll provide you with a transferable copy of your data or send it directly (if possible) to your designated recipient. Please note this only applies where the lawful basis was either consent or performance of a contract and processing was automated.
Objection. Where the legal basis for our processing of your personal data is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim.
Withdrawing Consent. If you have consented to our processing of your personal data, you have the right to withdraw your consent at any time, free of charge This includes cases where you wish to opt out from marketing messages that you receive from us. For any processing that is based on your consent, you can withdraw that consent at any time. This means that we will stop that processing, unless there is another basis to continue processing, such as a legal obligation. Withdrawing consent does not affect any processing that has already taken place.
Right to Avoid Automated Individual Decision-Making: At SWG, all decisions that could affect your rights are made by humans. While we use computers to help us in our work, all decisions are made by real individuals.
If you are in the EEA you also have the right to lodge a complaint with the local data protection authority if you believe that we have not complied with applicable data protection laws. Access a list of local data protection authorities in EEA countries here.
You can submit requests related to the exercise of your rights to us in person, by post or by electronic means. Upon receipt of your request, we may ask you to provide proof of identity, as well as any additional information we require regarding your request.
Upon receipt of your request, we will respond to you no later than within 30 calendar days from the receipt of your request and the date of submission of all documents required for the response.
Upon receipt of your request, we will respond to you no later than within 30 calendar days from the receipt of your request. This period can be extended by another two months if necessary, depending on the complexity of the request. Within one month from the date of receipt of your request, we will inform you of such an extension, together with the reasons for the delay.
If we deem it necessary, we will suspend the processing of your data, other than storage, until your request has been resolved. If you lawfully withdraw your consent, we will immediately terminate the processing of your personal data, except when we are required to continue to process your data due to our obligations, court decisions or binding instructions given to us by the authorities.
If we refuse to comply with your request, we will clearly state the grounds and the reasons for such refusal.
If you do not agree with our actions or the response to your request, you may appeal against our actions and decisions to the competent public authority.
DATA SECURITY
We endeavor to implement technical and organizational security measures in an effort to safeguard the personal data in our custody and control. Such measures include, for example, limiting access to personal data only to our staff and authorized service providers on a need-to-know basis for the purposes described in this Privacy Policy, data privacy trainings, as well as other administrative, technical, and physical safeguards.
THIRD PARTY LINKS
Our Website may include links to external websites that are operated by third parties, particularly in the “News and Publications” section. Additionally, we utilize social media platforms like LinkedIn and Facebook, as well as third-party platforms to host events, training sessions, and seminars. It is advisable that you thoroughly review the privacy policies of these external websites. Please be aware that we do not assume any responsibility for the information you may choose to disclose on these sites or for their handling and utilization of your personal data.
COOKIES AND OTHER TECHNOLOGIES
We do not use or engage certain providers to use cookies, web beacons, and similar tracking technologies (collectively, “Cookies”) on our Website.
CHANGES TO THIS PRIVACY POLICY
We may periodically revise this Privacy Policy to align with changes in our services and privacy procedures, or in response to relevant legal or regulatory obligations. Whenever feasible, we will make an effort to notify you of significant changes via email. Nevertheless, the most recent update date can be found below, and we urge you to regularly review this Privacy Policy to stay informed about how we handle your personal data.
HOW CAN YOU CONTACT US?
We HOPE that our Privacy Partner can effectively address any questions or concerns you may have regarding the use of your personal data. If you find that your inquiry or concern has not been addressed to your satisfaction, please do not hesitate to reach out to us. You can contact us via email at anni@unicornlegals.com or by using our “Contact Us” form. Additionally, you can find our supplementary contact information below:
Unicorn Legals OÜ
Registry code: 16486692,
Contact address: Pärnu str. 130, 11317 Tallinn, Estonia
Email address: anni@unicornlegals.com
Last updated: September 2023
