Privacy Statement EY Law
EY Law cares about your privacy and treats personal data with the strictest confidentiality and always in accordance with the applicable legislation. This privacy statement (“Privacy Statement”) explains what personal data are collected and processed, for which purposes, how long we hold the personal data for, what your rights are in this regard and how to contact us.
This Privacy Statement is applicable, inter alia, to (i) our website www.eylaw.be and its related weblinks (hereinafter our “Website”) and (ii) all relations between EY Law and its clients, applicants, suppliers and partners.
Who is your Controller?
EY Law BV, with registered office at Kouterveldstraat 7B/2, B-1831 Diegem (Brussels), Belgium and registered in the Crossroads Bank for Enterprises under the number BE0536.360.510 (hereinafter “EY Law” or “we” or “us”), is responsible for the processing of your personal data as described in this Privacy Statement.
The processing of your personal data by EY Law shall always be performed together with the lawyer or lawyers who you are corresponding with. An overview of our lawyers can be found on our Website. As for the exercise of your data protection rights you can reach out to EY Law as your point of contact (see section 8 of this Privacy Statement for further practical information on how to contact us).
What personal data do we process of you?
Personal data are data that can be used to directly or indirectly identify an individual person. We process different types of personal data of you. For instance, if you make use of our legal services, apply for a vacancy, ask questions through our Website and/or make use of our other services (hereinafter to be referred to jointly as the “Services”).
Most commonly, we process the following categories of personal data:
- Identification data: your first name and last name (including name prefix if applicable), title, function, phone number, e-mail address, office address;
- professional data: any information you share with us in relation to the company you work for, company address, company registration details and VAT details;
- communication data: other personal data contained in the e-mail correspondence with us and/or other (forms of) communication (via telephone, virtual or physical meetings, letters);
- information on our (potential) engagement: any relevant information on our engagement if you are already a client, the content of the case, and personal data contained in any document provided to us which may be relevant for the delivery of our Services. Also, any relevant personal data provided to us during the request for a proposal if you are not yet in a client relationship with us;
- financial data: payment history and any other information on payments by our clients and to our suppliers and business partners, the bank account number of our client, our suppliers and business partners, and the point of contact for sending of our invoices if different from our usual contact person or for payment of our invoices towards suppliers and business partners;
- Any other categories of personal data as identified below under title 3.
Which personal data do we process of you, for which purposes, and based on which legal grounds?
Depending on your use of our Services, please consult the below overview to see for which purposes we process your personal data, on which legal basis and for how long.
- If you are a (potential) client
If you are a prospect or a client of us, EY Law collects and processes the following personal data:
| Purpose | Type of personal data | Processing ground | Retention period |
| To provide (potential) clients with a proposal on our Services and deliver and execute our Services as described on our Website |
| The processing of this personal data is necessary for the performance of our services contract with you or to take steps at your request as our potential client prior to entering into a services contract with you. | Your personal data will be kept for as long as necessary during the execution of our Services and client relationship and will be deleted 10 years after the expiry or termination of our client relationship, unless a longer retention term applies in accordance with applicable laws or deontological rules to which we are subject. |
| To perform a client acceptance investigation and to comply with any legal obligations (e.g. client conflicts) including the obligation of keeping an up-to-date client administration |
| The processing of this personal data is necessary to comply with our legal obligations: pursuant to applicable laws (e.g. anti-money laundering laws) and our deontological code as lawyers, all legal and financial service providers including EY Law are required to have at their disposal certain information and/or documents regarding the identity of their clients.
For the personal data we process in light of this activity that goes beyond what is strictly required under our legal obligation, we process this personal data to pursue our legitimate interest as a law firm, namely to be vigilant for anti-money laundering practices when applying to the Service of a law firm. | See above |
| To maintain a business relationship with our clients, by way of sending them newsflashes and newsletters, or legal updates by e-mail and/or invitations to our events |
| The processing of this personal data is necessary to pursue our legitimate interests, namely if you are our client we believe one of our core objectives is to communicate to you relevant legal and tax developments and invite you to our events. We also aim to send only relevant mailings to you and personalised mailings based on our engagement data.
The processing is based on your consent if you have registered for one of our events. | Until you object or withdraw your consent (e.g. unsubscribe from our newsletters)
|
| To make or collect any payments |
| The processing of this personal data is necessary for the performance of our services contract with you | Your personal data will be kept for as long as necessary during the execution of our Services and client relationship and will be deleted 10 years after the expiry or termination of our client relationship, unless a longer retention term applies in accordance with applicable laws or deontological rules to which we are subject. |
| To handle any complaints and/or process feedback |
| The processing of this personal data is necessary to pursue our legitimate interest as a law firm, namely to provide the best possible Services to our clients and uphold the reputation of our firm. | Your personal data will be kept for as long as necessary during the execution of our Services and client relationship and will be deleted 10 years after the expiry or termination of our client relationship, unless a longer retention term applies in accordance with applicable laws or deontological rules to which we are subject. |
In most instances you will have provided this data to us yourself, for example in response to a request for information via email, information received during the performance of our Services, feedback received from you via email or advocatenscore.be. In some cases we will have collected this data indirectly, i.e. via other (publicly or lawyer specific) accessible sources (e.g. public information from the Crossroads Database for Enterprises).
As the vast majority of our clients are legal entities, we rely on our legitimate interest to process personal data of employees or representatives of our (potential) clients
Where relevant, we will share your personal data with third parties, where this is required for the purposes as set out above or where these third parties assist us in this respect. Such third parties can be the notary public, a bank and/or insurance company, external experts, a judicial administrator, the chairman of the bar association, debt-collection agencies, relevant tax authorities within the EU, police authorities, courts and tribunals, bailiffs.
- If you are an applicant
If you are an applicant of EY Law (in relation to a vacant position posted on our Website or a spontaneous application), EY Law collects and processes the following personal data:
| Purpose | Type of personal data | Processing ground | Retention period |
EY Law recruitment process:
|
| The processing of this personal data is necessary to pursue our legitimate interest, namely to attract the best candidates, to properly assess whether a candidate is suitable for the position and fits our company culture with a view to filling in job vacancies.
As the recruitment process develops and the more appropriate candidate(s) has(ve) been selected, this personal data will be processed for the performance of a contract. | Your personal data will be kept during our application and selection procedure and will be kept for 18 months after completion thereof. |
In most instances you will have provided this data to us yourself, for example via your curriculum vitae and/or via interviews. We may also obtain your personal data from employment agencies, head-hunters or selection firms. Furthermore, we may obtain personal data relating to you from other sources, such as social media platforms like LinkedIn.
We use third party service providers for certain aspects of our application and selection procedure (such as personality and IQ tests). If you apply for a specific job vacancy at EY Law, we will share your personal data with these service providers during the progress of our recruitment process.
- If you are a supplier & business partner
If you are a supplier or a business partner of us, EY Law collects and processes the following personal data. In principle, you will have provided this data to us yourself.
| Purpose | Type of personal data | Processing ground | Retention period |
goods or services delivered by suppliers and/or business partners for the performance of our own Services
|
| The processing of this personal data is necessary for the performance of a contract
| Your personal data will be kept in line with our applicable archiving policy unless if it forms an integral part of our Services to our clients in which case the data retention period above for our clients will apply. |
- If you are a Website visitor
If you are a website visitor, EY Law collects and processes the following personal data:
| Purpose | Type of personal data | Processing ground | Retention period |
to communicate with website visitors (i.e. provide you with the information you have requested) when they reach out to us via email |
| processing is necessary for the purposes of the legitimate interests pursued by EY Law or by a third party: The legitimate interest pursued for purpose II is responding to contact requests by website visitors. The legitimate interest pursued for purpose III is to provide a well-functioning and user-friendly website. |
|
Our Website does not use cookies and, as such, does not process any personal data through cookies.
- Third parties
Furthermore, we may collect and processes personal data of you for the following purposes:
| Purpose | Type of personal data | Processing ground | Retention period |
to communicate with you if you have provided us your business card
|
as mentioned on your business card | The processing of this personal data is necessary to pursue our legitimate interests, namely to stay connected with you following the exchange of business cards and reach out to you if you have given us your contact details for a certain purpose, such as to send you information on a specific matter | Your personal data will be kept in line with our applicable archiving policy. |
| To provide our Services to our clients, we may need to process personal data of third parties to provide our Services to our client (e.g. employees, suppliers, customers of our clients, notaries and alike) |
| The processing of this personal data is necessary to pursue our legitimate interests, namely to provide our Services to our clients it can be expected that we process personal data of other individuals than our clients if relevant and necessary for the Service (e.g. in case of litigation). | Your personal data will be kept for as long as necessary during the execution of our Services and client relationship and will be deleted 10 years after the expiry or termination of our client relationship, unless a longer retention term applies in accordance with applicable laws or deontological rules to which we are subject. |
| Visitor registration for visitors to our offices |
| The processing of this personal data is necessary to pursue our legitimate interests, namely to manage and control access to our offices and ensure the security of our offices. | Your personal data will be kept in line with our applicable archiving policy. |
Corporate Compliance:
|
| The processing of this personal data is necessary to comply with our legal obligations: pursuant to applicable laws (e.g. the Companies and Associations Code, Whistleblowing Act, the GDPR) | Your personal data will be kept in line with the applicable data retention periods identified in these laws. |
| To defend our rights in case of a dispute |
| The processing of this personal data is necessary to pursue our legitimate interests, namely to safeguard our rights in case of a dispute | If we reasonably believe there is a prospect of litigation in respect to our relationship with you, we may retain your personal data for longer than the retention periods identified above. |
In most instances you will have provided this data to us yourself, for example by providing us with your business card, or by asking us a question via e-mail. In some instances, we have obtained your personal data indirectly, via our client, via a data breach notification report, whistleblowing report. Where we received your personal data indirectly, we will do our best to provide you with the information in this Privacy Statement within a reasonable period after receipt of your data, unless if the data must remain confidential subject to our obligation of professional secrecy.
With whom do we share your personal data?
We share your personal data with third parties within the context of our efforts to provide our Services to you in the best possible way and to ensure efficient business operations, as well as to safeguard our interests and to comply with our legal obligations.
Where relevant, we have indicated per type of data subject with whom we share your personal data if that was necessary to provide the Service to you. Other than those listed above, we may also share your personal data with the following third parties:
postal companies and couriers if we need to send you written communications, file documents, or other items;
payment service providers if we receive payments from you, or make payments to you;
processors who assist us in the technical or IT field with the operation of our businesses, for the purpose of a secure and efficient digital data management within our businesses and optimal delivery of our Service delivery, such as software service providers, hosting providers, website and data centre managers, and providers of back-up services;
government bodies, law enforcement, judicial authorities, practitioners of regulated professions such as accountants, auditors, bailiffs, notaries, or other independent external advisors, and collection agencies, for the purpose of complying with our legal obligations and insofar necessary for the establishment, exercise or defense of legal claims or to otherwise enforce our rights, protect our property or the rights, property or safety of others, or as needed to support external audit, compliance and corporate governance functions.
Furthermore, EY Law has a privileged cooperation with EY Tax Consultants BV and as such is in certain circumstances part of the global organization of member firms of Ernst & Young. For certain of our business activities, we share resources or make use of the resources of an EY member firm. This is the case for our recruitment services, for our reception of office visitors, for certain aspects of our client and supplier management (e.g. file creation, invoicing). For such administrative and infrastructure-related reasons, we will share your personal data within the global organization of member firms of Ernst & Young.
Do we transfer your personal data outside of the European Economic Area?
The European Economic Area ("EEA") includes the countries of the European Union (EU), Norway, Liechtenstein, and Iceland. The GDPR requires adequate safeguards if your personal data is transferred to entities in countries outside the EEA (such as entering into agreements based on the European Commission’s Standard Contractual Clauses).
EY Law aims to keep your personal data on servers and in data centres within the EEA as much as possible and to only transfer your personal data to third countries outside of the European Economic Area when suitable instruments are in place to guarantee essentially equivalent protection of your personal data. However, in light of our structure (see title 4 above), transfers within the global organization may take place for which we put the appropriate safeguards in place.
How do we secure your data?
We protect the confidentiality and security of information we obtain in the course of our business. In light hereof we have put appropriate technical and organizational measures in place in order to safeguard your personal data against loss or misuse and improper disclosure. We also have policies and procedures in place that are designed to safeguard your personal data to the best of our endeavours.
We maintain a comprehensive information security program that is proportionate to the risks associated with the processing. The program is continuously adapted to mitigate operational risks and to protect personal data, taking into account industry-accepted practices.
Access to personal data is restricted to authorized recipients on a need-to-know basis and subject to strict confidentiality obligations. Furthermore, our lawyers have a confidentiality obligation as prescribed by the applicable code of conduct.
What rights do you have?
- You have a number of rights with regard to your personal data and the processing thereof:
- Right of access: you have the right to obtain from EY Law confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to your personal data and additional information about the processing of your personal data;
- Right to rectification: you have the right to request rectification of your personal data, for example if your personal data is not accurate;
- Right to erasure: in certain cases, you have the right to request EY Law to erase your personal data;
- Right to restriction of the processing: in certain cases, you have the right to obtain from EY Law restriction of processing of your personal data, for example when you have contested the accuracy of your personal data;
- Right to withdraw consent: you have the right to withdraw your consent at any time (if EY Law is processing your personal data based on your consent). Withdrawal will have no retroactive effect, meaning that your consent is only valid as from the moment it is withdrawn;
- Right to data portability: upon your request, you have the right to receive your personal data which you have provided to EY Law in a structured, commonly used and machine-readable format and have the right to require from us to transmit those data to another controller, where the processing is based on your consent or on a contract;
- Right to object: you have the right to object to processing of personal data which is based on the legitimate interests of EY Law, including direct marketing. EY Law shall in that case no longer process the personal data, unless EY Law demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims;
- Automated decision making: you have the right to not be subject to a decision based solely on automated processing including profiling, which produces legal effects for you or similar significantly affects you.
- These rights are not absolute. In some cases, EY Law may reject your request if the professional confidentiality obligations of EY Law’s lawyers override your interests. With regard to a request to erase personal data, it should be taken into account that EY Law shall not comply with such request, if it is incompatible with any legal retention obligations of EY Law.
- If you wish to exercise any of the rights set out above, please see title 8 of this Privacy Statement on how to contact us. Any information provided shall be initially free of charge. We will usually respond to your request within one month, unless this is not possible due to the complexity of your request, or the number or requests submitted. In such an exceptional case, we will inform you as soon as possible and extend our response period by a maximum of two months.
- In addition to the above rights, if you are unsatisfied with the processing of your personal data by us, the handling of a request by us or if you have any other complaints, then you have the right to lodge a complaint with the competent supervisory authority. For Belgium this is the Data Protection Authority (Gegevensbeschermingsautoriteit/Autorité de protection des données): https://www.gegevensbeschermingsautoriteit.be.
Questions and contact details
If you have any questions about this Privacy Statement or the way we process your personal data, or if you wish to submit a request in order to exercise your rights as stated in title 7 of this Privacy Statement, please contact us by e-mail at secretariaat@be.ey.com or alternatively by post.
Changes to this Privacy Statement
We reserve the right to update and amend this Privacy Statement if, for example, there are changes in the way we process your personal data, or if legislation changes. Nothing in this Privacy Statement is intended to create any obligation or cause any agreement to be concluded between EY Law and any visitor to this Website. If you are interested in receiving previous versions of this privacy policy please don’t hesitate to reach out to us.
Last updated on 19 September 2025.