Legal Information

Privacy Policy and Processing of Personal Data

Last updated:

Eftimie & Asociatii – Societate Civilă de Avocați (SCA), with registered offices at 64 Ing. Zablovschi St., RO-011313, Bucharest, Romania; Phone: +40 21 207 91 29; E-mail: office@eftimie-asociatii.ro (the "Firm", "we", or "us"), as data controller, undertakes to protect and observe the confidentiality of your personal data in accordance with Regulation (EU) 2016/679 (the "GDPR") and Romanian Law no. 190/2018.

This Privacy Policy describes the categories of personal data we process, the purposes and legal bases of such processing, the recipients of the data, the storage periods, and the rights you have as a data subject.

1. Purposes and legal bases of processing

1.1. Clients and prospective clients (individuals, or legal representatives / contacts of corporate clients)

Categories of data processed: (i) identity data (name, surname, date of birth, citizenship, ID/passport details, position held); (ii) contact data (telephone, email, postal address); (iii) billing data (bank account); (iv) data relevant to the contractual relationship; (v) where applicable, data on criminal sentences and offences in the context of mandates in criminal matters; (vi) signature.

Purposes: (i) entering into, performing, amending or terminating the engagement letter; (ii) submitting the legal declarations required by applicable laws; (iii) fulfilling tax obligations relating to fees; (iv) preparing financial and accounting records as required by law; (v) administering our IT systems and information processing infrastructure; (vi) archival purposes mandated by law; (vii) handling correspondence; (viii) protecting your rights and lawful interests under the power of attorney granted to us; (ix) fulfilling the obligations imposed by law on lawyers; (x) communicating with you; (xi) complying with the GDPR and national data protection laws.

Legal bases: (i) Article 6(1)(a) GDPR — your consent, where applicable; (ii) Article 6(1)(b) GDPR — performance of the engagement letter or pre-contractual measures at your request; (iii) Article 6(1)(c) GDPR — compliance with a legal obligation (Tax and Accounting Law, Law 51/1995 on the organisation of the legal profession, the By-Laws of the Lawyer Profession, anti-money-laundering legislation); (iv) Article 6(1)(e) GDPR — performance of a task carried out in the public interest, lawyers being indispensable partners of justice under Article 39 of Law no. 51/1995; (v) Article 6(1)(f) GDPR — legitimate interests of the Firm in organising its business.

For special categories of personal data, processing is based on Article 9(2)(a) GDPR (your explicit consent) or Article 9(2)(f) GDPR (establishment, exercise or defence of legal claims). Data on criminal sentences and offences is processed in reliance on the role and duties of lawyers in criminal proceedings under Romanian law.

1.2. Job applicants and interns

We process the data you provide for the purpose of evaluating your application. Legal basis: Article 6(1)(b) GDPR (pre-contractual measures at your request).

1.3. Collaborators and service providers

We process: identity, contact, work experience, education, identification data, and signature, for the purpose of entering into and performing our agreement with you. Legal bases: Article 6(1)(b) and (c) GDPR.

1.4. Visitors of the website www.eftimie-asociatii.ro

Categories of data processed: IP address, country of access, browser type, operating system, device type (mobile/desktop), date and time of visit, pages visited, time spent on each page, referring URL, and language preference. Cookies and similar tracking technologies (described in Section 6) collect a portion of this data.

Purposes: (i) operating the website and ensuring its security; (ii) understanding how visitors interact with our website in aggregate (analytics); (iii) improving the content and structure of our website; (iv) responding to inquiries submitted via the contact form.

Legal bases: (i) Article 6(1)(f) GDPR — our legitimate interest in the secure and effective operation of the website (essential cookies, server logs); (ii) Article 6(1)(a) GDPR — your consent, for analytics and any non-essential tracking technologies (Section 6).

2. Google Analytics 4

Subject to your consent given through our cookie consent banner, we use Google Analytics 4 ("GA4"), a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) and Google LLC (1600 Amphitheatre Parkway, Mountain View, California, USA), collectively "Google".

Measurement ID: G-M65L7CQ083.

What GA4 collects on your behalf: a randomly-generated identifier stored in cookies, your truncated IP address (Google performs IP anonymisation in the EU before any further processing or storage), pages visited, time spent on each page, referrer URL, device type, operating system, browser, language, screen resolution, approximate geographical location (country / city level), and interactions you take on the website (such as clicks on contact form, phone, or email links).

Purpose: producing aggregated, anonymised statistics about how the website is used. We do not attempt to re-identify individual users from analytics data.

Legal basis: Article 6(1)(a) GDPR — your consent, given by selecting "Accept" or by enabling the "Analytics cookies" toggle in our cookie banner. Without your consent, the Google Analytics script does not record any events from your browser session.

Retention: we have configured the GA4 user-data retention period to 14 months, after which user-level and event-level data is automatically deleted. Aggregated reports remain available indefinitely.

International data transfer: Google may transfer collected data to the United States. Such transfers rely on the European Commission's Adequacy Decision of 10 July 2023 in respect of the EU-U.S. Data Privacy Framework, of which Google LLC is a certified participant, and on the Standard Contractual Clauses approved by the European Commission as additional safeguards.

How to opt out: you may withdraw your consent at any time by (i) clicking "Settings" in our cookie banner and disabling the "Analytics cookies" toggle; (ii) installing the Google Analytics Opt-out Browser Add-on (tools.google.com/dlpage/gaoptout); (iii) clearing the cookies stored by our domain. Withdrawing consent does not affect the lawfulness of processing performed before withdrawal.

For details about Google's own processing, see Google's Privacy Policy at policies.google.com/privacy.

3. Personal data security

We have implemented appropriate technical and organisational measures to protect your personal data, including HTTPS encryption for all communications with our website, restricted access to client files, regular security reviews, and back-up procedures. Despite these measures, the conveyance of information over the Internet is never fully secure; we cannot guarantee absolute security.

4. Recipients of personal data

Your personal data is processed primarily by us, as data controller. In well-justified cases and only to the extent necessary, data may be shared with:

  • public authorities and institutions (tax authorities, courts, prosecutors, etc.);
  • other relevant entities (the National Trade Registry Office, the National Cadaster and Land Registration Agency, courts of law, court enforcers, public notaries, banks);
  • legal profession entities (the National Union of Romanian Bars, the Bucharest Bar);
  • service providers acting as data processors on our behalf — accounting, tax, IT (Microsoft Corporation for productivity software; Netlify Inc. for website hosting; Google LLC / Google Ireland Limited for analytics, as described in Section 2), courier and postal services;
  • associates and partners of the Firm acting under our supervision (substitute lawyers, experts).

Disclosures take place only on a defined legal basis. Our service providers are bound by confidentiality and data processing agreements that comply with Article 28 GDPR.

5. Storage periods

Personal data is stored for as long as necessary to fulfil the purposes for which it was collected, and for any additional period required by applicable law:

  • Client data: for the duration of the engagement letter and thereafter for the periods required by law (5 years for anti-money-laundering records; 5 or 10 years for financial / accounting documents, depending on document type).
  • Job applicant data: 6 months following the conclusion of the recruitment process, unless you consent to a longer retention period for future opportunities.
  • Website server logs: 90 days.
  • Google Analytics data: 14 months at user / event level, after which Google automatically deletes it.
  • Cookie consent records: 12 months from the date you last updated your preferences.
  • Contact form submissions: 24 months, unless they form part of an active mandate, in which case they follow the client-data retention period above.
  • Data processed on the basis of consent: until consent is withdrawn, unless a separate legal obligation requires further retention.

6. Cookies and similar tracking technologies

Our website uses the following categories of cookies and local-storage entries:

  • Essential (always active): records of your cookie-consent choices and your selected language preference. These are necessary for the website to function and cannot be disabled. Legal basis: Article 6(1)(f) GDPR.
  • Analytics (consent-based): Google Analytics 4 cookies (_ga, _ga_M65L7CQ083) which collect the information described in Section 2. Legal basis: Article 6(1)(a) GDPR. These cookies are activated only after you give consent through the cookie banner.
  • Functional (consent-based): currently not in use. Reserved for any future personalisation features.
  • Marketing (consent-based): currently not in use. We do not run advertising campaigns or third-party retargeting on this website.

You can manage your cookie preferences at any time by clicking "Settings" on the cookie banner, or by deleting the stored consent record from your browser to re-trigger the banner.

7. Your rights under GDPR

You have the following rights in relation to the personal data we process about you:

  • Right to be informed about how we collect and use your data (Article 13 GDPR).
  • Right of access to confirmation of whether we process your data and to a copy of that data (Article 15 GDPR).
  • Right to rectification of inaccurate or incomplete data (Article 16 GDPR).
  • Right to erasure (the "right to be forgotten") (Article 17 GDPR).
  • Right to restriction of processing in defined circumstances (Article 18 GDPR).
  • Right to data portability for data processed on the basis of consent or contract (Article 20 GDPR).
  • Right to object to processing based on our legitimate interests, including analytics (Article 21 GDPR).
  • Right not to be subject to a decision based solely on automated processing, including profiling (Article 22 GDPR). We do not engage in automated decision-making with legal effects.
  • Right to withdraw consent at any time, where the processing is based on Article 6(1)(a) GDPR. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
  • Right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) — see Section 9.

Some interventions on the data you have provided may make it impossible for us to perform the engagement letter. In such cases, the Firm is exonerated from liability.

To exercise any of these rights, contact us at office@eftimie-asociatii.ro or in writing at 64 Ing. Zablovschi St., RO-011313, Bucharest, Romania. We will respond within one month of receiving the request, and may extend this period by up to two further months for complex requests, in which case we will inform you within the first month.

8. Children

Our website is not directed to children under 16. We do not knowingly collect personal data from individuals under 16. If you believe a child has provided personal data to us, please contact us so we can delete it.

9. Supervisory authority

You have the right to lodge a complaint with the competent supervisory authority for data protection if you believe your personal data has been processed in breach of applicable laws:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 București, Romania
Phone: +40 318 059 211 / +40 318 059 212
Email: anspdcp@dataprotection.ro
Website: www.dataprotection.ro

10. Updates to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, in technology, in legal requirements, or for other reasons. The "Last updated" date at the top of this page indicates when the policy was last revised. We encourage you to review this Privacy Policy periodically.

We use cookies on our website to see how you interact with it. By accepting, you agree to our use of such cookies. Privacy Policy