Privacy Notice

Privacy Notice

CARDIGOS is a law firm that specialises in providing high-end legal advice to its clients, mostly in complex business transactions. CARDIGOS is fully committed to respecting the privacy of its clients or any other person that has contact with it. We act in accordance with the applicable data protection laws when collecting and processing the data you have provided us with, or which we have obtained from your visits to our website.

If you are a current client, a potential client (who has already established any form of contact with our law firm), or someone who has visited our website we advise you to read this Privacy Notice because it applies to you and it explains how we process your data. If you have any further queries, you are more than welcome to contact us at gdpr@cardigos.com (please see additional contact details below).

If you are a client, we further advise you to read this Notice together with our Terms of Business.

1. To whom is this Notice applicable?

This Privacy Notice explains how we process data that we obtain:

  • In the course of carrying out business intake procedures;
  • From or about individuals who are our clients;
  • From or about individuals in the course of providing legal services to our clients;
  • From or about individuals in the course of operating our business generally; and
  • From operating our website, responses to emails, alerts, invitations on LinkedIn and feedback on our official page and other such communications.

2. What type of data do we process?

CARDIGOS may process the following types of data:
- Identification data (e.g. name, age, nationality, gender, contact details, identification card number, taxpayer number);
- Data relating to education and work experience (e.g. courses and qualifications);
- Data relating to the data subject’s job (e.g. title, position, job description, company, business contact details);
- Data related with specific cases in relation to which our assistance was requested;
- Invoicing and expenses data (e.g. fees, client-related travelling and communication expenses); and
- Recorded image data (e.g. photographic and video images).

3. Why do we process your data?

As lawyers we do not only have to act in accordance with GDPR but also with strict rules that govern the way we interact with our clients and society in general. Therefore, we process your data for the purpose of providing legal services in accordance with our professional obligations and other legal obligations we are bound to. 

We may process your data in the following circumstances:

  • When we need to perform a contract we are about to or have entered into with you. Please note that without the provision of your personal data we may not conclude a contract with you;
  • When we need to do so to comply with a legal obligation;
  • When it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests;
  • When it is necessary to establish, exercise or defend legal claims;
  • If you have already made the information public; or
  • If you have given your consent.

When we process sensitive data about you (v.g. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person and/or data concerning health) in processing your claim or establishing a defence in court we are allowed to do so in accordance with the GDPR. When we process sensitive data about you while providing you with any other type of legal assistance we will collect your consent making sure it is not only explicit but also freely given, informed and unambiguous.

The particular legitimate interests upon which we rely in processing your personal information include the following:

- For the purposes of carrying out business intake procedures: this will include using and/or obtaining information for the purposes of carrying out anti-money laundering proceedings, conflict and other business intake searches.

- For the purposes of sending communications related with our services: we may use information about you for the purposes of promoting our services, if you request information about our services or indicate that you have an interest in receiving communications on legal topics, respond to invitations to events, or comment on our LinkedIn page. Based on that information, we may also identify further services, legal topics and events about which you may wish to know more. If you are a natural person we will always ask for your consent before sending you this type of communications. However, if we are contacting you for this purpose as a representative of a company we may do so based on our legitimate interests. Nevertheless, in this case you have the right to ask us not to process your personal information for this purpose. You can exercise that right at any time by contacting us as set out below, or by checking the appropriate boxes in every email we send you with this type of communications.

- For the purpose of fostering our law firm position within the market and the quality of its lawyers: we may use your data when submitting cases to legal directories.

- For the purpose of ensuring the protection of CARDIGOS’ premises and the persons and relevant goods on those premises. Please note that, when images are recorded and/or when photographs are taken, your consent will always be requested. 

- For the functioning of our business and its operations: we may use your personal information in the course of operating our business, including the management of our relationships with third party suppliers, dealing with our insurance arrangements, facilitating a business sale, acquisition or restructuring or for seeking external legal advice. We may also use your data for the purpose of satisfying our debt-claims in the exercise of our legal rights.

Change of Purpose

We will only use your personal information for the purposes for which we have collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will only do so if legally permitted and with appropriate notice.

 4. For how long do we keep your data?

CARDIGOS has document retention and destruction practices relating to data which differ according to practice area/business support team, the nature of the information, its format and type of documentation. In determining the appropriate retention period for personal information we consider such factors as the nature of the information, the purposes for which the data is retained, appropriate security measures, relevant technical constraints and applicable legal requirements.

Nevertheless, and in general: i) as regards the provision of legal services we may keep your data for the duration of our contract, plus 20 years; ii) as regards the recording of image data for the protection of goods we may keep your data for 30 days; and iii) as regards the compliance with statutory obligations we may keep your data for the period of time established by each regulation (e.g. invoicing and accounts management à 10 years, anti-money laundering proceedings à 7 years).

5. Where is your data located? To whom do we share/transfer it?

Your data is stored on servers located in the EU. Your data may be processed by CARDIGOS ’ lawyers and employees. In accordance with Portuguese Law both lawyers and law firm employees are subject to strict confidentiality obligations. Your data may be accessed by our IT vendor. Please note that your data held in hard copy is stored onsite or at secure locations. In addition, your data is transmitted to very few subcontractors, being these mainly companies that provide secure location for our archives, IT vendors and security companies. We may provide personal information to third parties that perform services for us solely for our use and benefit or in order for them to perform services on behalf of a client. We will only transfer your personal information in these circumstances where we are satisfied that it will be subject to an appropriate level of protection and in accordance with any safeguards that may be legally required.

CARDIGOS does not transfer your data for any country located outside of the EU/EEA unless you specifically request it (e.g. by establishing contact between a client and lawyers located outside of the EU/EEA for the purposes of solving a specific dispute). When doing so, we will make sure your data is safely processed in accordance with GDPR rules.

Finally, CARDIGOS may be required by law to disclose your data to a regulator, court or authority.

6. Use of Online Identification Technologies

We use online identification technologies such as cookies on CARDIGOS ’ website. "Cookies" are small text files placed on your hard drive that assist us in providing a more customized website experience. When you visit a site that uses cookies for the first time, a cookie is downloaded onto your computer. The next time you visit that site, your computer checks to see if it has a cookie that is relevant (that is, one containing the site name) and sends the information contained in that cookie back to the site. The site then recognizes that you have been there before and, in some cases, tailors what appears on screen to take account of that fact.

You can access our Cookie Policy on our website www.cardigos.com.

7. Confidentiality and Security

We take reasonable precautions to ensure that your personal information remains confidential and have put in place appropriate security measures to protect your personal information. We will limit access on a need to know basis; in relation to processors, they will only process your personal information on our instructions and subject to a duty of confidentiality.

We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.

 8. Your Rights

You have the right to access to data we hold on you. You may ask for a copy of your personal data undergoing processing. You may request us for any additional information regarding the way we process your personal data. If you believe the information we hold about you is inaccurate or no longer current, please contact us so that we can remove or correct the information in accordance with your instructions.

In certain circumstances you may have the right to have your personal information erased from our files. You may also object to, or request restrictions on, processing, in specific cases. In addition, you have the right to receive your personal information in a structured, commonly used and machine-readable format and to transmit such information to another controller.

We normally do not base our processing activities on consent. However if we do so, you may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdraw. However, if this consent was given in the course of the provision of legal services by our law firm (e.g. on sensitive data), it may impact the provision of such services.

If you wish to exercise your rights, make a complaint or ask a question, please see below our contact details.

9. Data Controller, Supervisory Authority and Contact Details

CARDIGOS is the controller of your data. CARDIGOS is located at Praça Nuno Rodrigues dos Santos, 14B, 1600-171 Lisboa, Portugal. You may visit us in our offices, contact us by mail, email to gdpr@cardigos.com or by phone to +351 21 330 39 00, being this line available from 9:15 a.m. to 7 p.m. GMT.

This Privacy Notice was drafted with brevity and clarity in mind. We are very happy to assist with any further queries.

If you have a complaint about how we process your personal data, we would appreciate the opportunity to deal with your concerns before you approach the Portuguese Supervisory Authority. However you do have the right to report any situation to this Authority (Comissão Nacional de Protecção de Dados).

10. Changes to Our Privacy Notice

The present version of this Privacy Notice is published on 30 July 2018. We may change our Privacy Notice from time to time. Any changes will be posted in this page. You should check our website periodically.

Please note, your browser is out of date.
For a good browsing experience we recommend using the latest version of Chrome, Firefox, Safari, Opera or Internet Explorer.