PRIVACY POLICY

1. Definitions

1.1. Data Controller (Administrator) – The law firm "AMBASSADORS," a legal entity established in accordance with the Law of Ukraine "On Advocacy and Advocate's Activity," located at 01132, Kyiv, Taras Shevchenko Boulevard, 33B, Europa Plaza Business Center, 11th floor.

1.2. Personal Data – Information or a set of information about an identified or identifiable natural person, identifiable by one or more factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity, including images, voice recordings, contact details, location data, information contained in correspondence, information collected through recording devices or other similar technology, as well as the IP address of a device, online identifier, and information collected via cookies and other similar technologies.

1.3. Data Protection Officer (DPO) – The person responsible for organizing the protection of personal data during processing, appointed by the Administrator.

1.4. Data Subject – A natural person whose personal data is processed by the Administrator.

1.5. Employee – A natural person employed by the Administrator.

1.6. Policy – This Personal Data Protection Policy.

1.7. Website – The website managed by the Administrator at the address:

1.8. User – Any natural person who visits the Website or uses one or more services or functions described in the Policy.

1.9. Client – A person who contacts the Administrator to receive legal services for themselves or on behalf of a third party.

1.10. Consent of the Data Subject – A voluntary expression of will by a natural person (provided they are informed) regarding permission to process their personal data in accordance with the stated purpose of processing, expressed in writing or in a form that allows concluding that consent has been given.

1.11. Categories of Data Processed:

1.11.1. For Clients – Surname, first name, patronymic, email, phone, address, and other data necessary for the fulfillment of the contract. Such data are additionally protected by attorney-client privilege.

1.11.2. For Website Users – Surname, first name, patronymic, email, phone, IP address, and cookie data.

2.1. This Policy is a part of the Data Protection Policy of the Administrator, which regulates the principles of Personal Data processing on the Administrator's Website.

2.2. The implementation of this Policy aims to ensure compliance with Ukrainian legislation in the processes of Personal Data processing by the Administrator, regardless of the form (electronic or paper) in which the processing occurs.

2.3. In connection with its activities, the Administrator collects and processes Personal Data in accordance with applicable legal provisions, namely:

2.3.1. The Administrator ensures that the processing of Personal Data is lawful.

2.3.2. The Administrator ensures the accuracy and transparency of Personal Data processing, including always informing about the processing of Personal Data during their collection, including the purpose and legal basis of processing.

2.3.3. The Administrator ensures that Personal Data is collected for specific, explicit, and legally justified purposes and is not processed in a way that is incompatible with these purposes.

2.3.4. The Administrator ensures that it processes data only to the extent necessary to achieve the purpose for which the Personal Data was collected.

2.3.5. The Administrator ensures that the Personal Data it processes is accurate and up-to-date where necessary and takes all reasonable steps to ensure the immediate deletion or correction of Personal Data that is inaccurate concerning the purposes for which it is processed.

2.3.6. The Administrator ensures that Personal Data is processed only for the period necessary to achieve the processing purposes.

2.3.7. The Administrator ensures the security of Personal Data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, by implementing appropriate technical or organizational measures.

2.3.8. The Administrator ensures, through appropriate technical and organizational measures, the ability to demonstrate compliance with data protection regulatory requirements.

2.3.9. The Administrator ensures that all Employees and partners of the Administrator adhere to this Policy.

2.4. In connection with the User's use of the Website, the Administrator collects data to the extent necessary to provide certain offered services. Detailed principles and purposes of Personal Data processing collected from the User while using the Site are described below.

3.1. Before granting access to the processing of Personal Data, the Administrator introduces each Employee who processes Personal Data to the Policy, including the procedures and rules regarding the protection of Personal Data applicable within the Administrator's organization, with acknowledgment by the Employee’s signature.

3.2. The processing of Personal Data by Employees may occur only based on a documented authorization from the Administrator. Additionally, the Administrator requires authorized persons to maintain the confidentiality of Personal Data and adhere to data security requirements, as well as comply with the Policy, including the procedures and rules regarding the protection of Personal Data applicable within the Administrator's organization.

3.3. The Administrator appoints a person responsible for the area of personal data protection, entrusting them with the functions of a Data Protection Officer (DPO), and provides adequate means and resources necessary to fulfill their assigned tasks.

3.4. The tasks of the Data Protection Officer include, but are not limited to:

3.4.1. Informing the Administrator and Employees who process Personal Data about their obligations concerning the protection of Personal Data, as well as providing advice on this matter;

3.4.2. Monitoring the compliance of authorized persons with the provisions regarding the protection of Personal Data, as well as the internal policies and procedures applied in this regard within the Administrator's organization;

3.4.3. Conducting activities to raise awareness about Personal Data protection, including training personnel involved in processing operations and conducting relevant audits;

3.4.4. Providing recommendations, upon request, regarding the assessment of data protection impacts and monitoring its implementation;

3.4.5. Cooperating with the supervisory authority;

3.4.6. Other tasks.

3.5. The Data Protection Officer performs their tasks with due regard to the risks associated with processing operations, considering the nature, scope, context, and purposes of the processing.

3.6. Employees who process personal data are required to:

3.6.1. Process personal data in accordance with their job responsibilities and with due diligence;

3.6.2. In the event of detecting a personal data protection breach, immediately report it to their immediate supervisor and the Data Protection Officer;

3.6.3. Participate diligently in organized training in the field of Personal Data protection;

3.6.4. Maintain the confidentiality of personal data and information on how it is protected, in accordance with the signed confidentiality agreement.

4.1. The Administrator implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of violations of the rights and freedoms of individuals, considering the varying likelihood and severity of such risks. The Administrator takes into account the state of technical knowledge, the cost of implementation, and the nature, scope, context, and purposes of processing.

4.2. When assessing whether the level of security is adequate, the Administrator considers, among other things, the risks associated with processing, including the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data transmitted, stored, or otherwise processed.

4.3. To ensure the integrity and confidentiality of Personal Data, the Administrator provides access to Personal Data only to authorized persons and only to the extent necessary for the tasks they perform. The Administrator employs organizational and technical solutions to ensure that all operations on Personal Data are logged and carried out only by authorized personnel.

4.4. The Administrator conducts ongoing risk assessments related to the processing of Personal Data and monitors the adequacy of the data security measures used to mitigate identified threats. If necessary, the Administrator implements additional measures to enhance the security of Personal Data.

4.5. If the purposes for which the Administrator processes Personal Data do not require the Administrator to identify the Data Subject, the Administrator is not obliged to maintain, obtain, or process additional information for the identification of the Data Subject solely to comply with regulatory requirements.

5.1. The Administrator requires all individuals processing Personal Data to immediately report any observed breaches of Personal Data protection.

5.2. The Administrator ensures that it promptly notifies data subjects of any Personal Data breaches if such breaches may result in a high risk to their rights or freedoms.

5.3. In each case, the Administrator investigates the breach and takes appropriate organizational and technical measures to address it.

5.4. The Administrator documents all Personal Data breaches, including the circumstances of the breach, its consequences, and the measures taken to rectify it.

6.1. The Administrator ensures the implementation of data subjects' rights in accordance with the principles outlined in the legislation, specifically:

6.1.1. Right to information about data processing - The Administrator provides the requester with information about the processing of Personal Data, including, among other things, the purposes and legal basis for processing, the scope of Personal Data stored, the entities to whom it is disclosed, and the planned date for the deletion of Personal Data.

6.1.2. Right to obtain a copy of data - The Administrator provides the requester with a copy of the Personal Data concerning them.

6.1.3. Right to rectification - Upon request, the Administrator corrects any inaccuracies or errors in the processed Personal Data and completes it if it is incomplete.

6.1.4. Right to erasure - The Administrator deletes or anonymizes Personal Data upon request if the processing is no longer necessary for the purposes for which it was collected.

6.1.5. Right to restrict processing - Upon request, the Administrator ceases processing Personal Data - except for operations to which the data subject has consented - and retains it in accordance with the accepted retention principles or until the reasons for restricting the processing of Personal Data cease.

6.1.6. Right to withdraw consent - If Personal Data is processed based on consent, the data subject has the right to withdraw their consent at any time, which, however, does not affect the legality of the processing carried out before the withdrawal.

7.1. The Administrator takes appropriate measures to ensure that communication with data subjects is conducted in a concise, transparent, and easily accessible form, using clear and simple language.

7.2. The Administrator provides information to data subjects in writing or other forms, including, where appropriate, electronically. If requested by the data subject, the Administrator provides information orally, provided that the identity of the data subject can be confirmed by other means.

8.1. The Administrator transfers Personal Data to another controller only under conditions required by law.

8.2. The processing of Personal Data is entrusted by the Administrator based on a data processing agreement or other legal instrument.

8.3. The processing of Personal Data is entrusted by the Administrator only after verifying that the processor provides adequate guarantees of implementing appropriate technical and organizational measures to ensure that the processing meets legal requirements and protects the rights of data subjects.

9.1. Personal Data of all website users is processed by the Administrator:

9.1.1. In electronic form, within the framework of providing Users with content collected on the website—here, the legal basis for processing is the necessity of processing for the performance of a contract (legal basis for data processing: Article 11(1)(3) of the Law of Ukraine "On Personal Data Protection").

9.1.2. For establishing and reviewing claims or defending against claims—the legal basis for processing is the legitimate interest of the Administrator (legal basis for data processing: Article 11(1)(3) and (6) of the Law of Ukraine "On Personal Data Protection").

9.2. The Administrator provides the option to contact them through an electronic contact form. Using the form requires providing Personal Data necessary to contact the User and respond to the request. The User may also provide additional data to facilitate contact or processing of the request. Providing data marked as mandatory is necessary for the acceptance and processing of the request; failure to provide this data will result in the inability to process the request. Providing additional data is voluntary.

9.3. Personal Data is processed for the purpose of identifying the sender and processing their request sent through the provided form—the legal basis for processing is the necessity of processing for the performance of a service contract; for non-mandatory data, the legal basis for processing is consent (legal basis for data processing: Article 11(1)(1) of the Law of Ukraine "On Personal Data Protection").

9.4. The User's Personal Data may also be used by the Administrator to send marketing content through various channels, such as email, MMS/SMS (legal basis for data processing: Article 11(1)(1) of the Law of Ukraine "On Personal Data Protection").

9.5. Personal Data are processed:

9.5.1. To send requested commercial information—the legal basis for processing, including the use of profiling, is Article 11(1)(1) of the Law of Ukraine "On Personal Data Protection";

9.5.2. For analytical and statistical purposes—the legal basis for processing is the legitimate interest of the Administrator, which is to conduct analysis of User activity on the Website to improve the functionalities used: Article 11(1)(1) of the Law of Ukraine "On Personal Data Protection."

10.1. The Administrator uses cookies on the Website. The purposes and rules for the use of cookies can be found in the Cookie Policy.

10.2. In connection with the purpose for which cookies are used, the Company's Website may allow storing the following types of cookies on the User's device:

• Necessary
• Functional
• Statistical
• Marketing

10.3. Cookies classified as "Necessary" are required for the proper functioning of the website, and therefore the user cannot disable them using the cookie settings management tool. Disabling the storage of this type of cookie is only possible at the level of the internet browser, but in such a case, certain elements of the Website or the entire Website may not function properly.

10.4. The User can independently and at any time change the settings related to cookies, specifying the conditions for their storage and access to cookies on the User's device directly through the internet browser settings. These settings can be modified, for example, to block automatic processing of cookies in the browser settings or to be informed each time cookies are placed on the User's device. The User can delete cookies at any time using the available functions of the web browser they are using.

11.1. The data retention period by the Administrator depends on the type of service provided and the purpose of processing. As a rule, data is processed for the duration of the service provision, until consent is withdrawn, or an effective objection to data processing is raised in cases where the legal basis for data processing is the legitimate interest of the Administrator.

11.2. The data processing period may be extended if processing is necessary for establishing and reviewing potential claims or defending against claims, and thereafter only if and to the extent required by law. After the processing period, the data is irreversibly deleted or anonymized.

12.1. The User has the right to access data and request its correction, deletion, restriction of processing, data portability, and the right to file a complaint with the supervisory authority responsible for data protection.

12.2. The User also has the right to object to data processing based on the legitimate interest of the Administrator.

12.3. If the User's data is processed based on consent, they may withdraw this consent at any time by contacting the Administrator via [email protected]. 

12.4. In connection with the provision of services, Personal Data will be disclosed to third parties, including IT service providers, to ensure proper use of the Website.

12.5. With the User's consent, their data may also be made available to other parties for their own purposes, including marketing purposes.

12.6. The Administrator reserves the right to disclose selected User information to competent authorities or third parties requesting such information, based on the relevant legal grounds and in accordance with applicable laws.

12.7. The Administrator can be contacted via [email protected].

13.1. The Policy is regularly reviewed and updated as necessary.

13.2. The current version of the Policy is effective from [effective date].