Personal Data Protection Policy for the uianet.org/en website

Preamble

1. In the context of publishing the website https://www.uianet.org/en (hereinafter referred to as "the Website"), the Union Internationale des Avocats (hereinafter referred to as "UIA") collects and processes personal data from users of the Website (hereinafter referred to as "Users").
2. The main purpose of this data protection policy is to inform you, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "Regulation (EU) 2016/679" or "GDPR"), about how your personal information may be collected and processed through the Website in the context, in particular, of your browsing and use of the services offered.
3. Protecting your personal data is a priority for UIA. This is why we undertake to process such data in strict compliance with personal data protection regulations.
4. If you have any questions about this policy or the way in which the UIA handles your personal data, please send us an email at the following address: privacy@uianet.org

Article 1: Data controller

• The Union Internationale des Avocats, an association governed by the 1 July 1901 law, whose registered office is located at 23 Rue de la Victoire, 75009 Paris, France, is responsible for processing data on the Website.

Article 2: Who is this policy intended for?

5. This policy applies to Users of the Website, i.e. any person who accesses and browses the Website, regardless of the device used.
6. It is aimed in particular at:
   • UIA members;
   • Prospective UIA members;
   • Subscribers to the UIA newsletter;
   • More generally, it is intended for any person who is required to communicate personal data via the Website (for example through the contact form, UIA membership application or newsletter registration).

Article 3: Which categories of your personal data does UIA process?

7. By visiting the Website, Users are likely to transmit personal data, which will be processed in accordance with applicable regulations.
8. Any data collected during a visit to the Website is subject to fair and transparent information being provided to Users in the form of information notices at the time their personal data is collected.
9. In the context of processing personal data for the purposes set out below, UIA collects and processes the following categories of personal data:
   • Identity data: Title, surname, first name, date of birth, photograph, language.
   • Contact details (private and professional): Email address, telephone number and postal address.
   • Professional data: Professional activity, professional status, organisation name, intra-community VAT number, bar association, year of admission to the bar, bar membership certificate data, professional social media accounts and link to professional website.
   • Data related to the creation of the Members' Space account: Password, title, first name, surname, country, email address, date of birth, language of communication, professional activity and professional status.
   • Data related to the management of the Members' Space account: Browsing data and tracking of changes made to the account.
   • Data related to the creation of a Prospective Member's account: Password, title, first name, surname, country, email address, date of birth, language of communication, professional activity and professional status.
   • Data related to managing a Prospective Member's account: Browsing data and tracking of changes made to the Personal Space account.
   • Billing data: Billing address, credit card details.
   • Identity document and student card details.
   • Data related to a request or entered in a free comment field.
10. UIA is likely to collect other categories of data through passive or automatic data collection:
    • Technical, connection, browsing and location data is likely to contain certain information or characteristics relating to your personal computer, mobile terminal or other peripherals, such as connection data (including the number and date(s) of connections to the Website), browsing data collected via cookies and other tracking functions during your visit to the Website, the type of operating system and internet browser used, the IP address, the name and version of programmes installed on your computer and location information.

Article 4: How is your personal data used?

11. UIA undertakes to only use your personal data to the extent permitted by applicable regulations.
12. All data is processed in accordance with the intended purposes and in compliance with the Commission Nationale de l'Informatique et des Libertés reference guidelines on the processing of personal data for commercial activities and recruitment.
13. Each processing operation is based on specific purposes that pursue a legitimate, specific and explicit aim.
14. In compliance with the principle of data minimisation, UIA undertakes to collect and use only data that is adequate, relevant and limited to what is necessary for the purposes of processing.
15. UIA mainly processes your personal data to enable the execution of pre-contractual measures taken at your request, and to comply with legal or regulatory obligations. Certain processing operations may also be based on the legitimate interests of UIA or your consent, where required.
16. The main purposes of the processing carried out by UIA are:
    • Consideration of applications for UIA membership.
    • Managing and monitoring relations with members;
    • Canvassing professionals by sending out the newsletter.

17. The purposes for which your data is processed, along with their respective legal bases, are detailed below:

    Purpose of processing	Legal basis for processing
    Creating and managing the Member/Prospective Member Space account	Consent (GDPR Art. 6 a))
    Management and monitoring of UIA membership applications	Execution of pre-contractual measures requested by the data subject (GDPR Art. 6(b))
    Management and follow-up of relations with UIA members and prospective members (congresses, seminars, webinars, member directories, all media, etc.)	Execution of a contract to which the data subject is a party (GDPR Art. 6(b))
    Managing and monitoring invoicing	Execution of a contract to which the data subject is a party (GDPR Art. 6(b))
    Managing prospecting for professionals	Legitimate interest of the controller (GDPR Art. 6(f))
    Management of requests to exercise rights under the GDPR and the amended Data Protection Act	Compliance with a legal obligation to which the controller is subject (GDPR Art. 6(c))
    Ensuring the smooth running of the Website and its functionalities, and making improvements to it as required	Legitimate interest of the controller (GDPR Art. 6(f))

Article 5: Will your data be processed for a different purpose?

18. UIA will only use your personal data for the purposes it was collected for, unless it is considered reasonable that it should be used for another purpose that is compatible with the initial one.
19. If your personal data is used for purposes unrelated to the initial purpose, UIA will inform you, specifying the applicable legal basis.
20. Any other purpose or any change in the methods of processing personal data will be communicated to Users by any appropriate means.

Article 6: For how long is your data stored?

21. Your data will only be kept for as long as is necessary for the purposes set out below:

    Purpose of processing	Data retention period
    Creating and managing the Member/Prospective Member Space account	Data is retained until the user account is deleted. A Prospective Member's account is deleted after three (3) years of inactivity from their last connection. Once deleted, only data required for pre-litigation or litigation purposes is archived until the legal statute of limitations for the corresponding action has expired (five years for civil and commercial matters). Prospective Members' accounts are deleted three years from the date the data was collected or the last contact from the prospective member, unless they opt out of receiving marketing messages.
    Managing and monitoring membership applications	Membership duration. If membership does not proceed, the data will be kept for the time required to process the request.
    Management and follow-up of relations with UIA Members and Prospective Members (conferences, seminars, webinars, member directories, all media, etc.)	Membership duration. Once membership has ended, only the data required for pre-litigation or litigation purposes will be archived until the legal statute of limitations for the corresponding action has expired (five years for civil and commercial matters). Prospective Members' data is kept for three years from the date the data was collected or the last contact from the prospective member.
    Managing and monitoring invoicing	One year (annual membership), or until the end of the event in the case of payment for registration to a congress, seminar or webinar, plus a further five years. Only data required for pre-litigation or litigation purposes is archived until the legal statute of limitations for the corresponding action has expired (five years for civil and commercial matters). Accounting data is kept for ten years after the last transaction carried out by the member.
    Managing prospecting for professionals	Data relating to prospective members: Three (3) years from the date the data was collected or the last contact from the prospective member, unless they opt out of receiving marketing messages. Data relating to members: During the membership period and for three (3) years after the end of the relationship, unless they opt out of receiving marketing messages.
    Management of requests relating to rights under the GDPR and the amended Data Protection Act	The time necessary to respond to requests to exercise rights. Once the request has been processed in full, the data is archived: for six years if the request is to object to processing; for one year if the request is to access, rectify, delete or limit processing, or to port data.
    Proper operation and continuous improvement of the Website and its functionalities	Life span of cookies and other trackers

Article 7: Who may have access to your personal data?

22. For the purposes specified in Article 4 of this Personal Data Protection Policy and within the limits of their responsibilities, the main people who may have access to your data are as follows:
    • Authorised UIA staff.
    • Authorised staff of our subcontractors and service providers.
    • Competent public authorities, where applicable.
    • Third parties that are likely to place cookies on your devices with your consent.
23. When UIA engages a service provider, it will only share personal data with them once it has obtained assurances regarding their ability to meet these security and confidentiality requirements.
24. In compliance with its legal and regulatory obligations, UIA shall enter into contracts with its subcontractors, precisely defining the terms and conditions of data processing by the latter in accordance with the personal data protection regulations, particularly Article 28 of the GDPR.

Article 8: Will your personal data be transferred outside the European Union?

25. The storage of data on the Website is provided by: Scaleway SAS.
26. In the event that personal data is transferred to a recipient country which does not ensure an equivalent level of protection to that of the European Union, UIA undertakes to take all necessary measures to ensure the protection of your personal data on the basis of appropriate guarantees (in particular standard contractual clauses defined by the European Commission) when processing is carried out subsequently on the basis of data collected from the Website. This will be done in the absence of a decision concerning competence and after having assessed the level of protection of your rights in the third country where the recipient of your personal data is established. You can obtain more information about this by contacting the UIA directly at privacy@uianet.org

Article 9: How is your data protected?

27. UIA places great importance on the security of personal data. It has put in place technical and organisational measures that are appropriate to the sensitivity of the personal data, with the aim of ensuring its integrity and confidentiality, and protecting it against malicious intrusion, loss, alteration or disclosure to unauthorised third parties.
28. UIA has implemented technical and organisational security measures to protect your personal data against potential breaches that could result in the accidental or unlawful destruction, loss, alteration, access or disclosure of personal data.
29. These measures shall ensure an appropriate level of security for personal data, taking into account the state of knowledge, the implementation costs in relation to the risks, and the nature of the data to be protected.
30. UIA further guarantees that its staff members and any other persons required to process your personal data comply with the applicable internal rules and procedures, particularly the technical and organisational security measures put in place to protect your data.
31. In the event of a personal data breach, UIA shall inform you and the Commission Nationale de l'Informatique et des Libertés (CNIL) if the conditions required by the personal data protection regulations are met.

Article 10: What rights do you have regarding your personal data?

32. UIA is particularly concerned about respecting the rights granted to you in the context of its data processing activities, in order to guarantee fair and transparent processing that takes into account the specific circumstances and context in which your personal data is processed.
33. In accordance with Articles 15 to 18 and 20 to 21 of the GDPR, you have the following rights in relation to your personal data:
    • You may request access to, and a copy of, the personal data that UIA holds about you, including in electronic format.
    • You may request the correction, updating and, where permitted by law, the deletion of your personal data, as well as the restriction of its processing.
    • You may request that the use of your personal data be discontinued, where permitted by law.
    • You may request the portability of your personal data, where possible.
    • You may withdraw your consent at any time, without affecting the lawfulness of any processing carried out before your withdrawal.
    • You may communicate your advance instructions to UIA concerning your personal data in the event of your death (for example, deletion or transmission to a person of your choice).

34. The following table summarises the rights granted according to the legal basis of the processing:

    	Access	Correction	Deletion	Restriction	Portability	Opposition
    Consent	☒	☒	☒	☒	☒	Withdrawal of consent
    Pre-contractual measures / Contract	☒	☒	☒	☐	☒	☐
    Legitimate interest	☒	☒	☒	☒	☐	☒
    Legal obligation	☒	☒	☒	☐	☐	☐

35. If your processing is based on a legal obligation, the right to deletion can only be applied if the processing meets the following conditions:
    • The personal data is no longer necessary for the purposes for which it was collected or otherwise processed; or
    • The personal data has been processed unlawfully; or
    • The personal data must be deleted to comply with a legal obligation under the European Union or Member State law to which the controller is subject.
36. In certain circumstances, UIA may ask you for specific information to confirm your identity and ensure you can exercise your rights. This is another appropriate security measure designed to prevent personal data from being disclosed to unauthorised individuals.
37. If you have any questions or wish to exercise your rights, please send us your request:
    • By email to privacy@uianet.org
    • By post to the following address: 23 Rue de la Victoire, 75009 Paris, France.
38. You will receive a reply within one month of us receiving your request. If necessary, this period may be extended by a further two months. If this happens, we will inform you and explain why.
39. You have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL – Service des Plaintes – 3 Place de Fontenoy – TSA 80715 – 75334 Paris CEDEX 07, France) or via the dedicated form: https://www.cnil.fr/fr/plaintes).

Article 11: Can this policy be modified?

40. Yes, UIA may update this policy at any time.
41. This data protection policy may be modified, particularly in the event of changes to the services offered on the Website. Therefore, we recommend that you consult the policy each time you access the Website.
42. The date at the top of this policy indicates when it was last updated.

Reference Date : 08/12/2025