• wpml-ls-flag
  • wpml-ls-flag

Privacy and personal data protection policy

The purpose of this privacy and personal data protection policy (hereinafter the “Policy”) is to set out the purposes, the terms, and conditions for the processing of personal data by:

FRENCH AMERICAN BAR ASSOCIATION (ASSOCIATION DES BARREAUX FRANÇAIS ET AMÉRICAINS), an association governed by the law of July 1st 1901, declared and registered under number RNA W751210407, with its headquarters at the LIBRA AVOCATS law firm, 5 rue Juliette Récamier, 75007 Paris, represented by its President, Maître Delphine ESKENAZI (hereinafter the “FABA“)

FABA may collect and process personal data concerning:

  • visitors and users (hereinafter referred to as “Users”) of the website https://www.faba-france.org (hereinafter referred to as the “Site“) when they browse the Site;
  • its members, in accordance with the association’s statutes (hereinafter referred to as “Members“);
  • participants in events organized by FABA (hereinafter referred to as “Participants“); and
  • any person interested in the purpose of FABA and/or who comes into contact with FABA (hereinafter referred to as “Interested Persons“).

Together, Users, Members, Participants, and Interested Parties are referred to as “Data Subjects.”

FABA is committed to protecting the privacy and personal data of Data Subjects. It ensures that it adopts and complies with a personal data processing policy that complies with the regulations in force, in particular in accordance with EU Regulation No. 2016/679 known as the “General Data Protection Regulation” (the “GDPR”) and the French Data Protection Act of January 6, 1978, as amended.

This Policy may be consulted at any time by Data Subjects directly on the Website.

In addition, when joining FABA, registering for an event, and/or contacting FABA via the forms on the Website dedicated to these purposes, Data Subjects must acknowledge that they have read this Policy before submitting their request.

FABA reserves the right to modify the Policy at any time. The version in force will be the one published on the Website.

1. Data controller

FABA is the data controller for the personal data collected and processed relating to Data Subjects, in connection with their browsing of the Website (for Users), their membership (for Members), their participation in events (for Participants), and their interaction with FABA (for Interested Parties).

The data controller is the person or entity (in this case, FABA) that determines the methods and purposes of personal data processing. It is responsible for the processing of personal data that it carries out and is the main point of contact for Data Subjects who wish to obtain information or exercise their rights.

FABA can be contacted using the contact details provided in Article 10 “Contact” of this Policy.

2. Collection of personal data

2.1 Source of personal data

FABA collects personal data from Data Subjects directly from them in the following cases:

  • When Data Subjects contact FABA
  • When joining FABA for Members
  • When Participants register for events organized by FABA

Furthermore, insofar as connecting Members, Participants, and Interested Parties is part of FABA’s purpose, FABA may receive information about an Interested Party through a third party (whether or not that third party is a Member).

In this case, after receiving information about the Interested Party through a third party, when first contacting the Interested Party, FABA will inform them about the processing of their personal data and their rights, by sending them a link to its privacy policy by email (provided that it has collected the email address of the Interested Party).

2.2 Mandatory nature of data provision

Certain data is necessary to join FABA, to register for an event, and/or to contact FABA. The mandatory information to be completed is indicated on FABA forms by an asterisk or by the words “mandatory information.” If this information is not provided, FABA will not be able to implement the contractual relationship and/or the services concerned.

Other data are optional and are only processed by the Data Controller when they are communicated spontaneously by the Data Subject.

2.3 Accuracy of data

FABA makes every effort to keep the personal data of Data Subjects accurate and complete. In order to ensure that their data is up to date, Data Subjects may contact FABA using the contact details provided in Article 10 of this Policy.

3. Purposes and legal bases for processing

FABA processes the personal data of Data Subjects in accordance with the following legal bases for the purposes described below:

In the context of the performance of a Contract or pre-contractual measures for membership of FABA in accordance with the association’s statutes:

  • management of acceptance of the association’s statutes and this Policy;
  • collection of Member’s information;
  • any exchanges between FABA and Interested Parties to obtain information about the purpose of FABA prior to membership;
  • exchanges between FABA and its Members, in accordance with the statutes;
  • putting Members in contact with each other or with Interested Parties (for the Member who initiates such a request);
  • more generally, the implementation of the purpose of FABA among members;
  • the management of any complaints.

In the context of the performance of a contract or pre-contractual measures for registration for events organized by FABA:

  • managing acceptance of the event registration conditions and this Policy;
  • the collection of Participant’s information;
  • any exchanges between FABA and Interested Parties to obtain information about the event prior to registration;
  • any exchanges between FABA and Participants before, during, or after an event regarding that event;
  • the management of any complaints.

As part of FABA’s legal obligations:

  • complying with the legal and regulatory obligations to which FABA is subject, including (but not limited to) tax reporting on transactions and invoice retention;
  • keeping accounts;
  • the prevention of money laundering, fraud, terrorist financing, and the fight against corruption;
  • managing requests from Data Subjects regarding their personal data protection rights;
  • responding to any request, order, or injunction from a judicial or administrative authority.

In the context of FABA’s legitimate interest, while respecting the fundamental rights and freedoms of Data Subjects:

  • responding to Interested Parties who have contacted FABA using the contact form on the Website or via FABA’s contact details (FABA’s legitimate interest is to promote and improve its services by responding to questions and communications from Interested Parties);
  • connecting Members with each other (for the Member who is not the initiator of the request) or Members with Interested Parties (and only when the Interested Party who is not a Member is the initiator of such a request) (FABA’s legitimate interest is to promote exchanges between Members and Interested Parties in accordance with the association’s purpose);
  • sending newsletters and other information to Members, Participants who have taken part in a FABA event in the last three years, and Interested Parties who have contacted FABA in the last three years, except where the Data Subject has expressly indicated that they do not wish to receive such communications (FABA’s legitimate interest is to promote its services, purpose, and events);
  • managing its social media accounts (FABA’s legitimate interest is to promote its services, purpose, and events);
  • making the Website available, maintaining it, and improving it (FABA’s legitimate interest is to promote and improve its services by providing information about its services, purpose, and events);
  • collecting opinions from Data Subjects (FABA’s legitimate interest is to promote and improve its services by providing additional information about its services and purpose);
  • managing debt collection (FABA’s legitimate interest is to enforce and exercise its rights);
  • detecting, investigating, preventing, or taking action regarding illegal activities, abuse, suspected fraud, or situations involving potential threats to the safety or rights of a person or entity, and using them as evidence in the event of litigation (FABA’s legitimate interest is to prevent fraud and any prohibited or illegal activity, as well as to enforce and exercise its rights);
  • the protection and defense of its rights and interests before the competent courts, tribunals, or authorities (FABA’s legitimate interest is to enforce and execute its rights);
  • enabling the training of its teams (FABA’s legitimate interest is to enable its teams to acquire the skills and knowledge necessary for the tasks entrusted to them);
  • enabling compliance and security audits to be carried out (FABA’s legitimate interest is to maintain a high level of competence, quality, and regulatory compliance).

With the consent of the Customer or User:

  • establishing contact and/or communicating information about a non-member Data Subject who is not the initiator of the request;
  • Exceptionally, when FABA wishes to process personal data for purposes other than those mentioned above, FABA will do so on the basis of the Data Subject’s consent.

4. Categories of personal data

The information collected by FABA about the Customer is not personal data when it concerns information about a company only. (For example, a general telephone line dedicated to the company or an email address such as “contact@nomdelasociete.com” is not personal data.)

However, information relating to Data Subjects, when it concerns a natural person, is personal data relating to individuals.

As such, FABA may collect and process the following categories of personal data:

  • During exchanges with FABA: surname, first name, email address, telephone number, and any other information voluntarily provided by the Data Subject during their exchanges with FABA.
  • When joining: surname, first name, email address, telephone number, postal address, status (lawyer, legal professional, student), bar association for lawyers, field of activity.
  • When registering for an event: surname, first name, email address, status (lawyer, legal professional, student).
  • When paying the annual membership fee or event participation fee by bank transfer or check: last name, first name, billing address, bank details (not stored), SIRET and VAT numbers if applicable.
  • When paying the annual membership fee or event participation fee by credit card: last name, first name, credit card number (not stored), SIRET and VAT numbers, if applicable.
  • When invoicing, collecting payments, and archiving invoices: last name, first name, billing address, SIRET number, and VAT number if applicable.
  • When sending a newsletter: last name, first name, and email address.
  • When managing its social networks and/or collecting reviews: surname, first name, username, and any other information provided voluntarily by the Data Subject.

5. Recipients of personal data

Personal data collected and processed by FABA may be transmitted:

  • To authorized persons among the members of the FABA board of directors;
  • To Members (for other Members or for Interested Parties who are the initiators of the request or, failing that, with their consent);
  • To Interested Parties (for Data Subjects who initiated the request, or failing that, with their consent);
  • To service providers used by FABA to fulfill the purposes set out in Article 3 of this Policy (within the limits of the data necessary to fulfill these purposes);
  • To the police, administrative and/or judicial authorities (or more generally to public bodies), as well as to FABA’s insurance company, in the event of a breach of the association’s statutes or a legal or regulatory obligation, in the context of FABA’s legal obligations, or to enable it to defend its rights and interests;
  • To FABA’s legal advisors and lawyers as necessary.

6. Personal data security

FABA implements organizational, technical, software, and physical security measures to protect personal data against loss, unauthorized access, disclosure, or alteration.

7. Hosting and transfer of personal data outside the European Economic Area

The personal data collected for which FABA is responsible is hosted in France on FABA’s servers.

Personal data for which FABA is responsible may be transferred to countries outside the European Economic Area (hereinafter the “EEA”), including, but not limited to, Data Subjects in the United States, in particular members of the twin association “FRENCH AMERICAN BAR ASSOCIATION” based in New York.

In order to ensure protection equivalent to that offered in the EEA, a territorial area outside of which the standards of the GDPR do not apply, data transfers outside the EEA will be:

  • To a country that has received an adequacy decision from the European Commission; or
  • To entities that have adopted binding rules in accordance with the GDPR as part of a process approved by the European Commission; or
  • Governed by contractual clauses based on the European Commission’s standard clauses.

8. Data retention

FABA retains the personal data of Data Subjects for the time necessary to fulfill the purposes pursued, plus any legal archiving, retention, and limitation periods, where applicable. At the end of these periods, personal data will either be deleted or irreversibly anonymized by FABA.

The retention period depends on the type of personal data and the purpose. The retention period is determined in particular according to the following criteria:

  • The duration of the contractual relationship with the Member;
  • The regularity of contacts with FABA;
  • The existence of legal obligations requiring FABA to retain the data;
  • The existence of a retention period specifically defined by applicable regulations (e.g., obligation to retain invoices for 10 years); and
  • The type of personal data, in particular those requiring special attention and precautions (e.g., banking information).

In this context, FABA applies the following retention periods:

  • Data concerning Members is retained for the duration of their membership of FABA, and for a maximum of three years after the end of their membership, their last participation in an event, or their last interaction with FABA.
  • Data concerning non-member Data Subjects is retained for a maximum of three years following their last participation in an event or their last interaction with FABA.
  • The data will then be irreversibly deleted or anonymized by FABA, unless such data must be retained for accounting purposes, in connection with legal obligations, dispute resolution, debt collection, or fraud prevention. Invoices will be retained for a period of ten (10) years from their date of issue.
  • Bank details and credit card information are not retained after payment.
  • In the event of a dispute relating to a transaction or use of the Site, or in the event of a dispute, the data relating to the transaction, use of the Site, or dispute in question will be retained for the applicable limitation periods.

For more information on the retention period for personal data, Data Subjects are invited to contact FABA using the contact details provided in Article 10 below.

9. User Rights

Data Subjects have the following rights under the GDPR and applicable laws in France:

  • Right to information: Data Subjects have the right to obtain from FABA information relating to the processing of their personal data by FABA.
  • Right of access: Data Subjects have the right to obtain confirmation from FABA as to whether or not their personal data is being processed and, where it is, access to that data and information relating to the purposes of the processing (Art. 15 of the GDPR).
  • Right to rectification: Data Subjects have the right to obtain from FABA, without undue delay, the rectification of their personal data that they consider inaccurate (Art. 16 of the GDPR).
  • Right to erasure: Data Subjects have the right to obtain from FABA the erasure of their personal data, under the conditions set out in Article 17 of the GDPR. This right does not apply when the processing is based on a legal obligation. When the processing is necessary for the performance of a contract or a pre-contractual measure, FABA will not be able to perform the said contract or the said pre-contractual measures or implement the services concerned in the event of erasure.
  • Right to restriction of processing: Data Subjects may obtain from FABA the restriction of the processing of their personal data under the conditions set out in Article 18 of the GDPR. This right does not apply when the processing is based on a legal obligation. Where processing is necessary for the performance of a contract or pre-contractual measures, FABA will not be able to perform the contract or pre-contractual measures or implement the services concerned in the event of restriction of processing.
  • Right to object: Data Subjects have the right to object at any time to the processing of their personal data, under the conditions set out in Article 21 of the GDPR. This right does not apply when the processing is based on a legal obligation. When the processing is necessary for the performance of a contract or a pre-contractual measure, FABA will not be able to perform said contract or said pre-contractual measures or implement the services concerned in the event of opposition to the processing of personal data.
  • Right to portability: Data Subjects have the right to receive from FABA, or to request FABA to send to a third party, personal data concerning them that they have provided to FABA, in a structured, commonly used, and machine-readable format (Art. 20 of the GDPR).
  • Right to withdraw consent: Data Subjects have the right to withdraw their consent to the processing of their data if such processing is based on consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
  • Right to organize the fate of one’s personal data after death: Data Subjects may define general or specific post-mortem instructions relating to the storage, erasure, and communication of their personal data after their death (Data Protection and Liberties Act No. 78-17 of January 6, 1978, as amended, Art. 40, II).
  • Right to lodge a complaint with a supervisory authority: without prejudice to any other administrative or judicial remedy, Data Subjects have the right to lodge a complaint with a supervisory authority if they consider that the processing of personal data concerning them constitutes a violation of the regulations applicable to personal data (Art. 77 of the GDPR).

In France, the supervisory authority is the CNIL, whose headquarters are located at 3 place de Fontenoy, 75007 Paris, and whose website is accessible at the following address: https://www.cnil.fr

However, Data Subjects are invited to contact FABA before lodging a complaint with a supervisory authority or before taking any other administrative or judicial action.

Data Subjects may exercise these rights with FABA (using the contact details provided in Article 10 “Contact” below) free of charge, except in cases of manifestly unfounded, excessive, or repeated requests, in which case fees may apply.

10. Contact

For more information on the processing of their personal data or to exercise their rights, Data Subjects may contact FABA at the following address:

Email : contact@faba-france.org

Postal address: French American Bar Association
LIBRA AVOCATS Law Firm
5 rue Juliette Récamier
75007 Paris