Personal data protection policy

Updated on December 18, 2023

Preamble

Sesame Avocats, Association d'Avocats à Responsabilité Professionnelle Individuelle, located at 22 Boulevard Malesherbes 75008 Paris (hereinafter "Sesame Avocats") processes Personal Data in the course of its business. Sesame Avocats is particularly committed to protecting the personal data it collects as part of its consulting services. Sesame Avocats is committed to complying with all French and European laws and regulations on the protection of personal data. 

In accordance with the requirements of Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the Protection of Individuals with regard to the processing of personal data and on the free movement of such data (the "RGPD"), the purpose of this Personal Data protection policy (hereinafter the "Policy") is to inform and explain to Data Subjects how Sesame Avocats collects, uses and ensures the protection of Personal Data, and to document its compliance with applicable regulations.

This privacy policy applies to the Personal Data of clients, prospective clients, partners, users of the website (www.sesame-avocats.com, the "Website"), and candidates responding to Sesame Avocats' recruitment offers. Personal data collected in connection with the management of our human resources is subject to different information with regard to its employees.

For the purposes hereof, in accordance with the RGPD and Law No. 2018-493 of June 20, 2018 on the protection of personal data:

  • Personal Data" means any information relating to an identified or identifiable natural person (hereinafter the "Data Subject"); an identified or identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

  • The term "Processing" is understood to mean any operation or set of operations, whether or not carried out using automated processes and applied to data or sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, limitation, erasure or destruction;

  • The term "Data Controller" means the natural or legal person, public authority, department or other body which, alone or in partnership with others, determines the purposes and means of the Processing; and

  • Sub-processor" means the natural or legal person, public authority, department or other body that processes Personal Data on behalf of the Data Controller.

I.  LEGAL BASIS FOR PROCESSING PERSONAL DATA

Before any Treatment, Sesame Avocats ensures that the Treatment :

  • is based on a specific, explicit and legitimate purpose for which the Personal Data is processed;

  • is strictly limited to the intended purpose;

  • is lawful in order to be justified by (i) the necessary performance of a contract concluded between the firm and a client or pre-contractual measures, (ii) a legal obligation, (iii) the prior consent of the Data Subject, or (iv) the pursuit of a legitimate interest of the firm, provided that it does not contravene the fundamental rights of the Data Subject.

Sesame Avocats ensures that the Personal Data processed is accurate and up-to-date.

In the case of any sensitive Personal Data, as defined by the applicable regulations, Sesame Avocats first seeks the consent of the Data Subject.

Sesame Avocats uses Personal Data for the following purposes:

a)     the legitimate interests of Sesame Avocats:

  • prospecting and promotion within the scope of its activity;

  • customer and prospect relationship management;

  • the organization, registration and invitation to Sesame Avocats events; and

  • monitoring legal news in connection with customers' and prospects' activities;

b)     the performance of pre-contractual measures or a contract concluded with the Data Subject:

  • production, execution, management and follow-up of customer files;

  • invoicing and collection of invoices issued for customer files;

c)     compliance with legal and regulatory obligations when Sesame Avocats implements Processing for the following purposes:

  • prevention of money laundering and terrorist financing and the fight against corruption ;

  • accounting ;

d)     the consent of the Person Concerned :

  • personalized solicitation.

II. TYPE OF PERSONAL DATA COLLECTED

Sesame Avocats is likely to collect Personal Data concerning (i) its clients in order to manage their files, both in terms of advice and litigation, (ii) its prospects in the context of solicitation, (iii) users of the Website during their browsing, and (iv) those of candidates wishing to join Sesame Avocats in the context of a recruitment procedure.

a)     Personal data relating to customers and/or prospects that may be collected

In the context of the lawyer's mission and for the efficient performance thereof, the Personal Data likely to be collected and processed by Sesame Avocats are the following:

  • civil status data: surname, first name, address, date and place of birth;

  • data relating to professional and family life: employment contracts, pay slips, tax forms, unemployment certificates, etc;

  • bank details of the natural or legal person invoiced for the services provided ;

  • economic and financial information: income, financial assets ;

  • telephone numbers and e-mail addresses ;

  • sensitive data, such as medical data for the purpose of justifying possible harm, or data relating to race, sexual orientation, trade union membership or religious, philosophical or other beliefs.

Depending on the above purposes, the categories of Personal Data retained may differ slightly, these being essentially linked to the nature of the mission entrusted to Sesame Avocats.  This information is necessary for the purposes identified above.

b)     Personal data collected as part of a recruitment procedure

In the context of recruitment procedures for trainees, associates, partners and/or employees, the following Personal Data may be collected and processed by Sesame Avocats:

  • first and last name ;

  • e-mail address ;

  • information contained in the Curriculum Vitae and covering letter;

  • salary positioning ;

  • follow-up to the application;

  • the type and duration of the proposed contract.

c)     Personal Data collected when browsing the Website

When browsing the Website, the Personal Data likely to be collected and processed by Sesame Avocats relates solely to the user's technical browsing data.

III. PERSONAL DATA COLLECTION SYSTEM

a)     Collection of Personal Data from customers and/or prospects

Personal Data is collected during telephone conversations, e-mail exchanges, or by any other means of communication, at the time of initial contact or throughout the professional relationship.

b)     Collection of Personal Data from candidates applying for job offers

Personal Data is collected when the Data Subject applies for jobs that Sesame Avocats posts on recruitment sites or when he or she sends unsolicited applications.

c)     Collection of Personal Data from Users of the Website

When a user consults the Website, his/her Personal Data may be collected via :

  • technical cookies strictly necessary for the proper functioning of the Website; these technical functionality cookies enable the Website to function optimally; and

  • statistics and audience measurement cookies.

A distinction must be made between technical cookies, which are necessary for the proper operation of the Website, and other cookies, which cannot be deposited on a terminal without the consent of the user concerned. Users can find out about the nature of each of the cookies deposited, and accept or refuse them, at any time during their browsing on the Website, by configuring their browser software accordingly. Furthermore, the user may, at any time, choose to deactivate/delete the cookies installed on his/her terminal, and/or oppose the registration of new cookies.

IV. USE OF PERSONAL DATA

a)     Personal data collected on customers and prospects

The Personal Data collected is used for canvassing, establishing, exercising or defending the legal rights of the Persons Concerned, for case management, and for invoicing the cases entrusted to Sesame Avocats.

b)     Personal data collected as part of a recruitment procedure

The purpose of collecting Personal Data is to :

  • receive and register applications sent to Sesame Avocats by e-mail ;

  • manage recruitment procedures with the firm's various departments for staff, employees and trainees to be recruited;

  • respond to job and internship applications, ;

  • manage litigation.

V. SHARING PERSONAL DATA

Personal Data is only shared within Sesame Avocats with partners, associates, employees and trainees in compliance with applicable regulations.

Personal Data may also be processed from time to time by specialized subcontractors, subject to the same security and confidentiality obligations as those imposed on the Data Controller:

  • Hyart, a firm of chartered accountants, which Sesame Avocats uses to ensure its financial compatibility,

  • LOP, billing and time management software.

In the course of providing legal advice and assistance, Sesame Avocats may transfer Personal Data to courts, legal experts, government agencies, other lawyers, legal professionals (e.g. bailiffs, notaries) and other professionals belonging to regulated professions (accountants, insurers, etc.). The client irrevocably authorizes Sesame Avocats to carry out these transfers in order to protect his interests and to enable the firm to carry out the missions entrusted to it in accordance with its ethical rules. Under no circumstances may the persons to whom the above information is sent be considered as Subcontractors of Sesame Avocats, the client acting as principal with regard to these transfers.

If the client's case is to be handled outside France, in the European Union (EU), and if the client and his lawyer agree, the Personal Data concerning him collected by his lawyer may be shared with legal professionals in other EU countries. At his request, the lawyer in charge of his case will provide further information on the professional(s) who will handle his case in this (these) EU country(ies).

Personal Data relating to a user of the Website will not be transmitted to commercial or advertising entities. 

VI. STORAGE OF PERSONAL DATA

Personal Data are stored in the form of paper and/or electronic files, under the responsibility of the lawyer, who takes all necessary measures to ensure their security.

Personal Data is kept only as long as is necessary for the purposes for which it is to be used, in accordance with legal requirements. It is stored for the duration of the customer's file.

Once the file is closed, the data is stored for a limited period of five (5) years to enable Sesame Avocats to meet its obligations in terms of liability.

For accounting purposes, they are kept for ten (10) years from the end of the financial year in which the last invoice was sent to the customer.

VII. PERSONAL DATA SECURITY

Sesame Avocats undertakes to take all necessary and appropriate measures to protect and ensure the security of Personal Data held by the firm by implementing appropriate technical and organizational measures.Ces mesures comprennent, notamment : 

These measures include

  • access control for Data Subjects: restricting access to authorized users only;

  • training Sesame Avocats staff in applicable regulations;

  • traceability measures: possible identification of persons accessing Personal Data;

  • software protection measures: authentication procedures with secure personal access via confidential logins and passwords;

  • data encryption: flow encryption / secure flows (https) ;

  • control of subcontractors subject to the same obligations of security, confidentiality and professional secrecy;

  • the implementation of an internal procedure to manage any incident, breach or violation of any Personal Data.

Sesame Avocats regularly analyzes its Data Processing and Personal Data protection procedures within the firm, in order to adjust and supplement them to guarantee its clients and prospects the highest possible level of protection.

VIII. VIOLATION OF PERSONAL DATA

In the event of a breach of Personal Data, Sesame Avocats will notify the relevant supervisory authority as soon as possible, and at the latest within seventy-two (72) hours of becoming aware of the breach.

Furthermore, in the event that the breach is likely to give rise to a high risk for the rights and freedoms of a natural person, Sesame Avocats will communicate the breach of Personal Data to the Person Concerned as soon as possible, unless:

  • Sesame Avocats has implemented the appropriate technical and organizational protection measures and that these measures have been applied to the Personal Data affected by the said breach, in particular measures which render the Personal Data incomprehensible to any person who is not authorized to have access to it, such as encryption;

  • Sesame Avocats has taken subsequent steps to ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialize;

  • and if communication required disproportionate effort.

IX. RIGHTS OF PERSONS CONCERNED 

In accordance with the RGPD, Data Subjects have the following rights, under certain conditions:

  • access their Personal Data; Sesame Avocats must, upon request, provide them with a copy of their Personal Data;

  • obtain from Sesame Avocats, as soon as possible, the rectification of Personal Data concerning them which are inaccurate or incomplete;

  • obtain from Sesame Avocats, as soon as possible, the deletion of their Personal Data;

  • obtain from Sesame Avocats the limitation of the Processing ;

  • receive its Personal Data in a structured, commonly used and machine-readable format, and transmit these Personal Data to another Data Controller (right to the portability of Personal Data); and

  • oppose, at any time, for reasons relating to their particular situation, a Treatment concerning them.

Data Subjects may exercise all their rights by sending a letter with proof of their identity to Maître Sébastien Ducamp, who is responsible for processing Personal Data at Sesame Avocats AARPI at the following postal address: 22 boulevard Malesherbes - 75008 Paris or by sending an e-mail to the following address Contact@sesame-avocats.com. Sesame Avocats has one (1) month from receipt of the client's request to respond.

If, after contacting Sesame Avocats, you feel that your data protection rights have not been respected, or that the recording device does not comply with the rules governing the protection of Personal Data, you may also lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL). For further information: https://www.cnil.fr/fr.

Sesame Avocats undertakes to cooperate with the CNIL, at the latter's request, in the performance of its dutie.

X. THE PERSONAL DATA PROCESSING REGISTER

Sesame Avocats undertakes to keep a register of Processing activities, under its responsibility, mentioning all the information required by the provisions of Article 30 of the RGPD.