Privacy Policy

1. Who we are

Nastra Attorneys at Law Ltd., Hottingerstrasse 21, 8032 Zurich, Switzerland (“we”, “us” or “our”) are responsible for your personal data which is processed in accordance with this Privacy Policy.

This Privacy Policy explains how we process your personal data and which rights you are entitled to.

Please note that this Privacy Policy will be published on our website www.nastra.ch and is updated from time to time. We recommend that you regularly consult this document and take note of updates.

2. Personal data we collect and process

Personal data which we may collect and process may consist of:

  • Your name and contact details such as, for example, your first and last name, address, country, telephone number, video call information and/or e-mail address, date of birth, gender as well as the company you are working with, your position, title, qualifications and other fundamental information.
  • Identification, financial and background information, which you provide to us, or which we need to establish a mandate relationship or employment relationship with you as well as financial information, such as, for example, account and payment information.
  • Information which we receive from you during meetings, telephone calls, video calls, discussions, events or via e-mail or mail.
  • Information, disclosed by or on behalf of our clients or that we provide to clients as part of our services and/or legal advice.
  • Other information you may provide to us in course of our mandate relationship with you.
  • Further information we collect from other sources such as, for example, information from publicly available sources.

3. How we process personal data and for what purpose

3.1 If you mandate us

During, before or after our mandate relationship with you we process personal data as
described in section 2., such as:

  • Your name and contact details
  • Identification, financial and background information
  • Information which we receive from you
  • Information, disclosed by or on behalf of our clients or that we provide to clients
  • Other information
  • Further information

We will process this information to communicate with you, to provide you with our services or legal advice, to manage and develop the mandate relationship with you, to identify possible services or legal advice you may be interested in and to bill you for our services and/or legal advice, including the assertion, enforcement and defence of legal claims.

Please note that we may process the mentioned personal data even before you enter in a mandate relationship with us. This to identify you, to perform money laundering checks, conflict and reputation checks and to assess whether we may render services and/or legal advice for you, respectively enter in a mandate relationship with you.

After the mandate relationship has ended, we may be obliged to store your personal data to fulfil legally or regulatory required obligations. We may also store your personal information for the assertion, enforcement and defence of legal claims. Your personal data will be stored for 10 years after your mandate relationship with us has ended. You may ask to erase your
personal data before this retention period ends, provided that no legal or regulatory obligations or the assertion, enforcement and defence of legal claims do prevent us from deleting your personal data.

The legal basis for processing of your personal data for the above-mentioned purposes lies in pre-contractual measures and the execution of a contract, in the fulfilment of legal obligations as well as in our legitimate interest in the support of the client relationship.

3.2 If you contact us via e-mail, mail, telephone and/or physical meetings

When you contact us via e-mail, mail, telephone and/or attend to physical meetings, we may process personal data as described in section 2., such as:

  • Your name and contact details
  • Identification, financial and background information
  • Information which we receive from you
  • Information, disclosed by or on behalf of our clients or that we provide to clients
  • Other information
  • Further information

We will process this information to communicate with you, to provide you with our services or legal advice, to manage and develop the mandate relationship with you, to identify possible services or legal advice you may be interested in and to bill you for our services and/or legal advice. We may also process this information for the assertion, enforcement and defence of legal claims.

The legal basis for processing of your personal data for the above-mentioned purposes lies the execution of a contract, in the fulfilment of legal obligations as well as in our legitimate interest in the support of the client relationship.

Furthermore, please refer to the additional information in section 3.1.

3.3 If you contact us via video calls

We use Microsoft Teams to conduct conference calls, online meetings, video conferences and/or webinars. Microsoft Teams is part of Microsoft 365. Please see below section 3.9
regarding personal data collected via Microsoft 365.

We furthermore offer to conduct video calls via other platforms. Such platform will be chosen by you and we only use such platforms when explicitly requested by you. Therefore, you should be aware what personal data is collected and processed by the platform before requesting it to be used for a video call with us. When you request to use another platform than Microsoft Teams, we are not responsible for any personal data such platform may collect and process.

When you contact us via video calls, we may furthermore process personal data as described in section 2., such as:

  • Your name and contact details
  • Identification, financial and background information
  • Information which we receive from you
  • Information, disclosed by or on behalf of our clients or that we provide to clients
  • Other information
  • Further information

In addition to the above, we might record the video call with you in several cases. Should we record a video call we will inform you before starting the recording.

We will process this information to communicate with you, to provide you with our services or legal advice, to manage and develop the mandate relationship with you, to identify possible services or legal advice you may be interested in and to bill you for our services and/or legal advice. We may also process this information for the assertion, enforcement and defence of legal claims.

The legal basis for processing of your personal data for the above-mentioned purposes lies the execution of a contract, in the fulfilment of legal obligations as well as in our legitimate interest in the support of the client relationship.

Furthermore, please refer to the additional information in section 3.1.

3.4 If you visit our website

Our sever does not store any personal data and does not create log files containing personal data.

Furthermore, our website does neither store any cookies on your device, nor do we use
tracking tools or similar to analyse your browsing behaviour.

3.5 If you subscribe to our newsletter

We work together with mailXpert GmbH for distributing our newsletter. mailXpert GmbH is a service provider, with its seat in Schulstrasse 37, 8050 Zurich, Switzerland. For further
information on mailXpert GmbH, please visit their website www.swissnewsletter.ch. mailXpert GmbH processes your personal data in Switzerland, only.

If you subscribe to our newsletter, we will process personal data as described in section 2., such as:

  • Your name and contact details
  • Information which we receive from you
  • Further information

Our newsletter contains a tracking pixel. This is a non-visible graphic that provides information whether an e-mail has been opened. Furthermore, your accessing device as well as the date and time of access, the used e-mail client, the clicked links in the e-mail as well as your gender will be logged in aggregated form for statistical purposes.

We will process this information to provide you with our newsletter, to send you information on new legal developments, for marketing and client specific advertising purposes, to invite you to events and for general information purposes.

Should you not want to receive our newsletter anymore, you may de-register from the
subscription at any time via the link at the bottom of our newsletter, or via circulars@nastra.ch.

The above-mentioned personal data will be stored as long as you are subscribed to our
newsletter and will be deleted once you de-register from the subscription, provided that no legal or regulatory obligations or the assertion, enforcement and defence of legal claims do prevent us from deleting your personal data.

With the registration to our newsletter, you consent to process your personal data as described in this section. The legal basis processing the above-mentioned personal data is your consent and in certain cases our legitimate interest to be able to provide you with the information on our services and/or legal advice.

3.6 If you register for events we organise, or provide us information on events we are organising or which we are visiting

If you register for events, or provide us information on events, either organised by us or visited by us, we will process personal data as described in section 2., such as:

  • Your name and contact details
  • Information which we receive from you
  • Further information
  • Identification, financial and background information (for events which are organised by us, and which require a registration fee)

Furthermore, if there is an online or e-mail registration necessary for events organised by us, your IP-address of the accessing device as well as the date and time of access will be logged.

We will process this information to communicate with you, to provide you with our services and/or legal advice with regard to the event, to identify and inform you about other events which may be of interest for you, to identify possible services and/or legal advice you may be
interested in, and, in case the event requires a registration fee, to bill you for it. We may also process this information for including the assertion, enforcement and defence of legal claims.

Your personal data will be stored for 10 years after you have registered for the event. You may ask to erase your personal data before this retention period ends, provided that no legal or regulatory obligations or the assertion, enforcement and defence of legal claims do prevent us from deleting your personal data.

With the registration for an event, or while providing us information on events, you consent to process your personal data as described in this section. The legal basis for processing your personal data is your consent and, in certain cases, our legitimate interest to be able to provide you with the information on our services and/or legal advice, or the performance of a contract in case for events which we organise, and which require a registration fee.

3.7 If you apply for a job with us

If you apply for a job with us and therefore send us your application documents, we will process personal data as described in section 2., such as:

  • Your name and contact details
  • Information which we receive from you
  • Identification, financial and background information
  • Further information

In addition, we may collect and process particularly sensitive personal data such as personal data on administrative and criminal prosecutions or sanctions, personal data on religious,
ideological, political or labour union views or activities, personal health data, and/or personal data on social assistance measures.

We will process this information to review your application, to decide on a possible employment relationship and to communicate with you.

The above-mentioned personal data will be stored as long as you are within the recruitment process and will be deleted once the recruitment process is over. In case the recruitment leads to an employment relationship with us, the data will be stored for 10 years after your
employment relationship with us has ended. You may ask to erase your personal data before this retention period ends, provided that no legal or regulatory obligations or the assertion, enforcement and defence of legal claims do prevent us from deleting your personal data.

The legal basis for processing the above-mentioned data lies in pre-contractual measures and the possible execution of a contract, in your consent and in our legitimate interest in case the recruitment process leads to an employment relationship.

3.8 Processing of data from third-parties

We may process all kinds of personal data mentioned in section 2 from third-parties if we, respectively our clients, have a legitimate interest in doing so and this does not outweigh the interest, fundamental freedoms or fundamental rights of the third-parties. This processing is based on our, or our client’s, legitimate interest in providing legal services and advice to our clients.

3.9 Microsoft 365 and affiliated software

For our day-to-day work, we use Microsoft 365 and various applications included in it. Microsoft 365 is a software of the Microsoft Corporation, One Microsoft Way Redmond, WA. 98052-6399 USA. However, our contractual partner is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (hereinafter “Microsoft”).

Microsoft 365 contains numerous software, such as Word, PowerPoint, Excel, Outlook and
Microsoft Teams. Microsoft 365 also offers additional online services. These include several cloud services, such as SharePoint (incl. Teams and OneDrive) and Exchange Online, where the data is stored on Microsoft servers instead of ours.

A direct exchange of personal data between you and our Microsoft 365 applications will
primarily take place when communicating via e-mail or via Microsoft Teams. We furthermore use Microsoft 365 to process personal data for the purposes mentioned in section 3.1 - 3.8 Please note section 4. which provides further information on data transfer of personal data outside of Switzerland.

We have the implemented the “Customer Lock Box”. As a result, Microsoft has no access to our data in Office 365. Microsoft can request access for the purpose of remote maintenance. This access will then be checked by us on a case-by-case basis and granted, if approved. Microsoft Teams is not part of the “Customer Lock Box”.

In connection with the use of Microsoft 365, Microsoft processes certain data as an
independent controller. Please note that we have no influence on this kind of data processing. To the extent Microsoft processes personal data in connection with the use of Microsoft 365, Microsoft is the independent data controller for that and, as such, is responsible for compliance with all applicable laws and obligations of a data controller. For further information please refer to the privacy statement of Microsoft available under:

https://privacy.microsoft.com/​de-de/​privacystatement.

4. Disclosure of Data and transfer outside of Switzerland

We consider the personal data referred to in this Privacy Policy to be confidential and will treat it
accordingly. All our attorneys and employees may have access to your personal information unless we deem it inappropriate, or you instruct us to limit access to certain information to a specific group of people.

We will not share this information with third parties unless it is necessary to comply with any law, court order, or legal process, enforce or apply our agreements, to protect us or our rights, or unless you have consented to this.

Besides the explicitly mentioned third parties in this Privacy Policy, we may share your personal data with other entrusted third-party service providers to the extent necessary, including:

  • IT service providers;
  • External accountants;
  • Auditors;
  • Third parties engaged with their prior consent as part of services and/or legal advice we provide to our clients, such as other law firms or technology service providers for data room services;
  • Third parties who are also involved in the implementation or organization of events and seminars.

In addition, we share your data with third-party service providers to the extent necessary for the use of the website, the processing of your contact requests, the sending of marketing communications, as well as for other processing purposes mentioned above. The use of the data disclosed for this purpose by third parties is limited to the aforementioned purposes.

Service providers located in Switzerland and/or the EEA enter into a contract with us which ensures the protection of your personal data.

Several third-party service providers mentioned in this Privacy Policy, such as, e.g., Microsoft, may be located in the United States. In the United States there are several surveillance measures by US
authorities in place, which allow the storage of all personal data of all persons whose data has been transferred to the USA. Furthermore, there are no legal remedies available in the United States for data subjects from Switzerland or the EU to obtain access to the data concerning them and to have it
corrected or deleted, and there is no effective judicial legal protection against general access rights of United States authorities. The USA do not have an adequate level of data protection from the point of view of the European Union and Switzerland. Insofar recipients of data are based in the USA, we aim to ensure through contractual arrangements with such third-party providers, that your data is protected with an adequate level.

Your personal data is generally stored in Switzerland. Due to the above, it is possible that your personal data may be transferred to or accessed from countries outside of Switzerland, such as countries within the EEA or the USA. It is also possible that your personal data may be transferred to or accessed from another country, where you require us to work from. In such cases you need to consent to the transfer or access of your personal data to such a country.

5. Your rights

You have the following rights regarding the processing of your personal data. You can exercise these rights by contacting us:

  • Right to information: You have the right to be informed about your personal data stored and processed by us and/or and third party we are working with, at any time free of charge. In certain circumstances, and accordance with the applicable legal regulation, we have the right to charge you for providing the requested information. In particular cases, your right to information may be excluded.
  • Right to rectification: You have the right to have inaccurate or incomplete personal data stored and processed by us and/or and third party we are working with rectified and to be informed of the rectification. In case of a rectification, we will inform the recipients of the data concerned about the adjustments made, unless this is impossible or involves
    disproportionate effort.
  • Right to restriction of processing: Under certain circumstances, you have the right to demand that the processing of your personal data shall be restricted. In particular cases, your right to restriction of processing may be excluded.
  • Right to data transfer: Under certain circumstances, you have, the right to receive the personal data that you have provided to us, free of charge, in a common electronic/machine readable format. In particular cases, we have the right to charge you for transferring your data.
  • Right to erasure: Under certain circumstances, you have the right to have your personal data erased. In particular cases, your right to erasure may be excluded.
  • Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with the competent supervisory authority against the way your personal data is processed.
  • Right of withdrawal of your consent: Generally, you have the right to withdraw your consent at any time. However, processing activities based on your consent in the past will not become unlawful as a result of your revocation. In particular cases, your withdrawal of your consent may be overridden by another justification which would allow us to further process your data.

6. Data Security and Integrity

We protect the confidentiality and security of your personal data, which we receive, collect, store or process in the course of our business activities. We are serious about data protection and ensure that your personal data is handled in accordance with the applicable laws and regulation, mainly the Swiss Federal Data Protection Act (“FADP”), its ordinance and, where legally required, the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).

We furthermore use technical and organisational measures to ensure the security and integrity of your personal data and to ensure that your personal data is protected from unauthorized access, use, disclosure, alteration, destruction or unauthorized access by third parties. Our employees and service providers are bound to secrecy and to comply with data protection.

Please note that data transmitted via an open network such as the Internet or an e-mail service is openly accessible. We cannot guarantee the confidentiality of messages or content shared over these networks. When you share personal information over an open network, you should be aware that third parties may have access to that information and may collect and use it for their own purposes.

7. Contact

Should you have any data protection related question, or should you wish to get in touch with us
regarding to the exercise of your rights, please contact us via circulars@nastra.ch or via regular mail to:

Nastra Attorneys at Law Ltd.
Data Protection
Hottingerstrasse 21
CH-8032 Zurich

If you believe that your inquiry to us has not been handled to your satisfaction, you may contact the competent data protection authority; in Switzerland, the Federal Data Protection and Information
Commissioner (https://www.edoeb.admin.ch).

October 2023