Privacy Policy

Last updated: January 2026

 

This Unified Privacy Policy (the “Policy”) governs the processing of personal data carried out in the context of the provision of legal services by BELZUZ ABOGADOS, S.L.P. and BELZUZ ABOGADOS, S.L.P. – Portuguese Branch, through any channel (in person, electronic, telephone or online), including via the website https://belzuz.com.

This Policy is drafted in accordance with Regulation (EU) 2016/679 (“GDPR”), and with the applicable national data protection legislation in Portugal and Spain. Where national legal requirements differ, such differences are expressly identified in clearly signposted sections.

This Privacy Policy aims to inform, in a clear and transparent manner, how we collect, use, store and protect your personal data, as well as the rights you have as a data subject.

1. Data controllers and scope of application

1.1. Spain

BELZUZ ABOGADOS, S.L.P.

Calle Núñez de Balboa, 115 bis, 1º C 28006 Madrid, Spain

Tel.: +34 91 562 50 76

Email: [email protected]

BELZUZ ABOGADOS, S.L.P. acts as data controller for personal data processed in the context of legal matters managed in Spain, as well as for data submitted through the website and intended for the Spanish entity.

1.2. Portugal

BELZUZ ABOGADOS, S.L.P. – Portuguese Branch

Av. Duque d’Ávila, 141 – 1º Dto. 1050-081 Lisbon, Portugal

Tel.: +351 21 324 05 30

Email: [email protected]

The Portuguese Branch acts as an independent data controller for personal data processed in the context of legal matters managed in Portugal, including data submitted through website forms specifically addressed to the Portuguese Branch.

1.3. Data Protection Officer

No Data Protection Officer (“DPO”) has been appointed, as the conditions set out in Article 37 GDPR are not met. Any questions relating to personal data protection may be addressed using the contact details above.

2. Independent controllership between Spain and Portugal

BELZUZ ABOGADOS, S.L.P. and BELZUZ ABOGADOS, S.L.P. – Portuguese Branch act as independent data controllers, within the meaning of Article 4(7) GDPR, in the scope of their respective professional mandates and legal matters managed by them in Spain and Portugal, respectively.
Where, at a stage prior to the formalization of the mandate or, where applicable, within the scope of the coordinated provision of cross-border legal services, one entity communicates to the other limited personal data consisting strictly of the identification and contact details necessary for the preliminary analysis of the matter and the possible submission of a proposal for legal services in the relevant country, such communication constitutes a data transfer between controllers, based on pre-contractual steps at the request of the data subject, compliance with legal obligations and the legitimate interest in ensuring adequate and continuous legal defense and advice.

Each entity independently determines the purposes and essential means of the processing it carries out, individually assuming compliance with the obligation’s incumbent upon it under the GDPR, namely regarding lawfulness, information to data subjects, exercise of rights, data security and retention.

In all cases, data sharing between the entities is carried out in strict compliance with professional secrecy obligations and solely to the extent necessary for the proper provision of the contracted legal services. The exercise of data subject rights may be restricted where required to safeguard legal professional privilege, the right of defense, or the rights and freedoms of third parties, as permitted by law.

3. Categories of personal data and sources

Personal data means any information relating to an identified or identifiable natural person. Belzuz may collect and process different categories of personal data, depending on the relationship established with the data subject and the purposes involved.

The main categories of data include:

• Identification and contact data – first and last name, date of birth, address, email address, telephone number, nationality, tax identification number or national ID.
• Professional data – position, role, employer, academic and professional background.
• Data related to the provision of legal services – information on cases, communications, documents and other information relevant to the execution of the mandate, including, where strictly necessary and with appropriate legal safeguards, special categories of personal data under Article 9(2) GDPR.
• Billing and financial data – payment details, bank account number, information on contracted services.
• Browsing data – collected through cookies and similar technologies (see our Cookie Policy).
• Other data – any other data voluntarily provided in the context of the professional relationship.

Personal data may be collected:

• Directly from the data subject, through website forms, email, telephone, meetings, events, spontaneous applications or exchange of business cards;
• Indirectly, through public sources, clients, counterparties, authorities or third parties, where necessary for the exercise of legal activity and in compliance with applicable legal and professional obligations, including those arising from the Statute of the Portuguese Bar Association, and may include personal data of third parties who are not clients (such as counterparties, legal representatives, witnesses, experts or other participants), to the extent necessary for the proper provision of legal services.

Where personal data are not obtained directly from the data subject, the information provided for in Article 14 GDPR may not be individually provided where this proves impossible, involves a disproportionate effort or where the provision of such information is covered by professional secrecy, under the GDPR and applicable professional regulations.

4. Purposes and legal bases for processing

Belzuz processes personal data only where there is a valid legal basis, as provided for in the GDPR. Below are the main purposes and corresponding legal grounds:

Purpose	Legal basis	Data processed
Provision of legal services, including opening and management of files, client registration, analysis of potential conflicts of interest, communications with clients, authorities and courts, and document archiving	Performance of a contract or pre-contractual steps at the request of the data subject (Article 6(1)(b) GDPR); compliance with a legal obligation (Article 6(1)(c) GDPR); legitimate interest (Article 6(1)(f) GDPR)	Identification and contact data, professional data, communications and other information relevant to the provision of contracted legal advisory services and pursuit of the mandate (including, where necessary and with appropriate legal safeguards, special categories of personal data under Article 9(2) GDPR, in particular where processing is necessary for the establishment, exercise or defense of legal claims)
Acquisition and management of external services	Pre-contractual steps; performance of a contract (Article 6(1)(b) GDPR)	Identification and contact data and information about the service provided
Billing and accounting management	Performance of a contract (Article 6(1)(b) GDPR); compliance with a legal obligation (Article 6(1)(c) GDPR); legitimate interest (Article 6(1)(f) GDPR)	Identification and contact data, payment data
Response to contact requests submitted through the website	Legitimate interest (Article 6(1)(f) GDPR)	Name, email and content of the message
Sending newsletters, legal updates and informational communications	Performance of a contract (Article 6(1)(b) GDPR); legitimate interest (Article 6(1)(f) GDPR); consent (Article 6(1)(a) GDPR)	Name and email
Communication with former clients or collaborators	Legitimate interest (Article 6(1)(f) GDPR); consent (Article 6(1)(a) GDPR)	Identification and contact data, email and professional background
Recruitment and selection	Pre-contractual steps (Article 6(1)(b) GDPR); legitimate interest (Article 6(1)(f) GDPR); and, where applicable, consent for retention of the CV for future processes (Article 6(1)(a) GDPR)	Identification data, academic and professional background, contact details and email
Optimization of browsing experience (cookies)	Consent (Article 6(1)(a) GDPR)	Data relating to interaction with the website
Internal management, regulatory compliance, prevention of legal risks and defense of Belzuz’s legitimate interests, including complaint management, administrative or judicial proceedings and professional liability insurance	Legitimate interest (Article 6(1)(f) GDPR); compliance with a legal obligation (Article 6(1)(c) GDPR)	Identification and contact data, professional data, communications and documentation related to the file or complaint
Organization and participation in professional events, training activities and institutional relations	Legitimate interest (Article 6(1)(f) GDPR); consent where applicable (Article 6(1)(a) GDPR)	Identification and contact data, professional data and, where applicable, image
Compliance with anti-money laundering and counter-terrorist financing obligations	Compliance with a legal obligation (Article 6(1)(c) GDPR)	Identification data, supporting documentation and information relating to the transaction

Belzuz does not use data collected through website forms for direct marketing purposes without the data subject’s prior, specific and informed consent.

Belzuz does not carry out solely automated decision-making or profiling producing legal or similarly significant effects.

5. Data retention

In strict compliance with applicable legislation, personal data are retained only for the period strictly necessary to fulfil the purposes for which they were collected and in accordance with applicable legal and professional obligations.

Retention periods vary depending on the applicable national legal framework, as set out below:

• Portugal specific retention periods:

• Provision of legal services – duration of the contractual relationship/mandate;
• Retention of information relating to the services provided – 20 years after termination of the legal services contract;
• Informational communications, including newsletters and legal updates – for as long as the contractual relationship remains in place (retainer basis) or until the right to object is exercised, as applicable;
• Billing and accounting – 10 years;
• Recruitment – up to 2 years where the candidate is not selected, where there is a legitimate interest in managing the recruitment process or the data subject’s consent to retain the curriculum vitae for future recruitment processes, unless the data subject requests earlier erasure;
• Identification and due diligence measures (KYC/AML) – 7 years after the end of the business relationship or occasional transaction;
• Contact requests – until completion of the request;
• Data processed for the establishment, exercise or defense of legal claims – for the time necessary until final judgment and compliance with applicable decisions;
• Cookies – as indicated in the Cookie Policy.

 

• Spain specific retention periods:
• Provision of legal services – duration of the contractual relationship / mandate plus 5 years following its termination;
• Information relating to legal services provided – 10 years after termination of the service agreement;
• Billing and accounting – 6 years;
• Informative communications (including newsletters and legal updates) – for the duration of the contractual relationship or until the exercise of the right to object;
• Recruitment data – up to 2 years where the candidate is not selected, where there is a legitimate interest in managing the recruitment process or the data subject’s consent to retain the curriculum vitae for future recruitment processes, unless the data subject requests earlier erasure;
• KYC / AML data – 10 years after the end of the business relationship or occasional transaction, pursuant to Spanish AML legislation;
• Contact requests – until completion of the request;
• Data processed for the establishment, exercise or defense of legal claims – until final resolution and enforcement of the relevant decisions;
• Cookies – as set out in the Cookie Policy.

In the event of litigation involving Belzuz, retention periods may be extended for the duration of the proceedings and until their definitive conclusion.

Upon expiry of the applicable retention periods, personal data are securely deleted or irreversibly anonymized.

6. Recipients of personal data

Personal data are not disclosed to third parties except where necessary for the provision of legal services, where required by law or court order, or where consent has been obtained.

Recipients may include:

• Courts, judicial authorities, public prosecutors, law enforcement bodies, regulatory or supervisory authorities, where disclosure is required or permitted by applicable law;
• Other law firms, lawyers, legal advisers, insolvency administrators, experts or judicial agents, where such disclosure is strictly necessary for the provision of legal services or the defense of legal rights;
• Service providers acting on behalf of Belzuz as data processors (including IT service providers, document archiving and custody providers, translation services and secure communication providers), bound by contractual obligations in accordance with Article 28 GDPR;
• The other Belzuz entity (Spain or Portugal), acting as an independent data controller, solely under the terms and conditions set out in Section 2 of this Policy and only where necessary for the preliminary assessment of matters, the submission of legal service proposals or the coordinated provision of cross-border legal services.

All disclosures of personal data are carried out in strict compliance with legal professional secrecy and confidentiality obligations and are limited to what is strictly necessary for the purposes pursued.

Where personal data are processed by third parties on behalf of Belzuz, such processing is governed by written agreements ensuring appropriate technical and organizational security measures and compliance with the GDPR.

7. Personal data security

Belzuz adopts appropriate technical and organizational measures to ensure a level of security appropriate to the risk, protecting personal data against destruction, loss, alteration, unauthorized disclosure or access, in accordance with Articles 32 et seq. GDPR and applicable national legislation.
These measures include:

• Pseudonymization and encryption of personal data, where appropriate;
• Access control mechanisms and access logging to information systems;
• Procedures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• Incident response plans and data recovery measures;
• Procedures enabling timely restoration of availability and access to personal data in the event of a physical or technical incident;
• Regular testing, assessment and evaluation of the effectiveness of implemented technical and organizational measures.

8. Cookies

The website uses cookies and similar technologies in accordance with the GDPR, the ePrivacy Directive (Directive 2002/58/EC), and the applicable national implementing legislation in Portugal and Spain. Further details are available in the Cookie Policy.

9. Data subject rights

As a data subject, you have the following rights under Articles 15 to 22 GDPR and applicable national legislation:

• Right of access (Article 15 GDPR): to obtain confirmation as to whether or not your personal data are being processed and to access the relevant information;
• Right to rectification (Article 16 GDPR): to request the correction of inaccurate data or the completion of incomplete data;
• Right to erasure (Article 17 GDPR): to request the deletion of personal data where they are no longer necessary for the purposes for which they were collected, where consent is withdrawn or where you object to the processing, without prejudice to compliance with legal obligations or the overriding of Belzuz’s legitimate interests;
• Right to restriction of processing (Article 18 GDPR): to request the restriction of processing in certain situations, in particular while the accuracy of the data is being verified or an objection is being assessed;
• Right to data portability (Article 20 GDPR): to receive the personal data you have provided in a structured, commonly used and machine-readable format and to transmit them to another controller, where technically feasible;
• Right to object (Article 21 GDPR): to object, at any time, to processing based on Belzuz’s legitimate interests, including processing for informational communications;
• Right to withdraw consent (Article 7(3) GDPR): to withdraw consent at any time, without affecting the lawfulness of processing carried out prior to such withdrawal;
• Right not to be subject to solely automated decisions (Article 22 GDPR): not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you.

The exercise of these rights may be limited where it would involve disclosure of information protected by professional secrecy, judicial secrecy or the rights and freedoms of third parties, under Article 23 GDPR.

Belzuz undertakes to respond to data subject requests within a maximum period of one (1) month from receipt, which may be extended by two (2) additional months where necessary, taking into account the complexity and number of requests, under Article 12(3) GDPR. In such cases, the data subject will be informed of the extension within the first month.

Belzuz may request additional information where it has reasonable doubts as to the identity of the requester, under Article 12(6) GDPR.

Exercise of rights

You may exercise your rights by contacting the relevant data controller using the following contact details

• Spain

BELZUZ ABOGADOS, S.L.P.

Calle Núñez de Balboa, 115 bis, 1º C 28006 Madrid, Spain

Tel.: +34 91 562 50 76

Email: [email protected]

• Portugal

BELZUZ ABOGADOS, S.L.P. – Portuguese Branch

Av. Duque d’Ávila, 141 – 1º Dto. 1050-081 Lisbon, Portugal

Tel.: +351 21 324 05 30

Email: [email protected]

In both cases, proof of identity may be required, namely by providing a copy of the Citizen Card or another valid identification document, where necessary to verify the identity of the data subject.

You also have the right to lodge a complaint with the competent supervisory authority:

• Spain: Agencia Española de Protección de Datos (AEPD) – https://www.aepd.es
• Portugal: Comissão Nacional de Proteção de Dados (CNPD) – https://www.cnpd.pt

10. International data transfers

Personal data may be shared between BELZUZ ABOGADOS, S.L.P. and BELZUZ ABOGADOS, S.L.P. – Portuguese Branch in accordance with Section 2 of this Policy, where necessary for the preliminary assessment of legal matters, the submission of legal service proposals or the coordinated provision of cross-border legal services.

Such data exchanges take place within the European Union and therefore do not constitute international data transfers within the meaning of Chapter V of the GDPR.

Where, on an exceptional basis, it becomes necessary to transfer personal data to recipients or service providers located outside the European Economic Area (EEA), Belzuz shall ensure that such transfers are carried out in compliance with Articles 44 to 49 of the GDPR and subject to appropriate safeguards, including, where applicable:

• Adequacy decision adopted by the European Commission (Article 45 GDPR);
• Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR);
• Binding corporate rules (Article 47 GDPR);
• Codes of conduct or certification mechanisms accompanied by binding and enforceable commitments (Article 46(2)(e) and (f) GDPR).

Where required, Belzuz shall carry out transfer risk assessments or equivalent evaluations in line with the guidance issued by the European Data Protection Board (EDPB) and the relevant national supervisory authority.

11. Amendments to this Privacy Policy

Belzuz may amend this Privacy Policy at any time, namely to reflect legislative changes, guidance from supervisory authorities or changes to its internal personal data processing procedures.

The updated version will be published on this Website (https://belzuz.com/pt/), indicating the date of the last update. In the event of substantial changes likely to significantly affect data subjects’ rights, Belzuz may provide direct notice through available contact means.

Periodic consultation of this Policy is recommended to follow the evolution of Belzuz’s data protection practices.

12. Contacts

For any questions regarding this Policy or the processing of personal data, please contact the relevant entity using the details set out in Section 1.