Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

WorkRights Legal BV is registered with the Dutch Chamber of Commerce (Kamer van Koophandel) and operates as a professional services firm providing employment and labour law services.

2. Data We Collect

We collect personal data in the following categories:

2.1 Data you provide to us directly

• Identity data: full name, job title, employer name
• Contact data: email address, telephone number, postal address
• Case data: details of your employment dispute, documents you share with us, communications
• Financial data: bank details for invoicing purposes where applicable
• Special categories of data: where relevant to your legal matter, we may process data about health, racial or ethnic origin, or trade union membership — only with your explicit consent or as necessary to establish, exercise, or defend legal claims

2.2 Data we collect automatically

• Technical data: IP address, browser type and version, device type, operating system
• Usage data: pages visited, time spent on pages, referral source
• Cookie data: as described in our Cookie Policy

3. Purposes of Processing

We process your personal data for the following purposes:

• To respond to your enquiries and provide legal advice and representation
• To manage the lawyer-client relationship and administer your case file
• To comply with our professional obligations as lawyers (including confidentiality and conflict-of-interest checks)
• To issue invoices and process payments
• To send service-related communications about your matter
• To improve the functionality and content of our website
• To comply with legal and regulatory obligations under Dutch and EU law
• With your consent: to send newsletters and legal updates about employment law

4. Legal Basis (GDPR Article 6)

We rely on the following legal bases for processing:

• Art. 6(1)(a) — Consent: where you have provided explicit consent, e.g. for marketing communications or newsletter subscription.
• Art. 6(1)(b) — Contract performance: where processing is necessary to provide legal services you have requested or to enter into an engagement agreement with you.
• Art. 6(1)(c) — Legal obligation: where we are required to process data to comply with legal obligations, including anti-money laundering regulations (Wwft) and professional conduct rules.
• Art. 6(1)(f) — Legitimate interests: where processing is necessary for our legitimate interests, such as improving our website, preventing fraud, and maintaining business records — provided these interests are not overridden by your rights.

For special category data (Art. 9 GDPR), we rely on Art. 9(2)(f) (establishment, exercise or defence of legal claims) and, where required, your explicit consent under Art. 9(2)(a).

5. Data Retention

We retain your personal data only as long as necessary for the purposes for which it was collected:

• Client and case files: 7 years after the conclusion of the matter (in accordance with professional obligations under the Dutch Bar Association (NOvA) rules and applicable limitation periods).
• Financial records: 7 years (Dutch tax law requirement).
• Marketing consents and contact enquiries: 2 years from last contact, unless you withdraw consent earlier.
• Website analytics data: 26 months (anonymised after 14 months).

After retention periods expire, data is securely deleted or anonymised.

6. Third Party Sharing

We may share your personal data with the following categories of third parties:

• Courts and tribunals: when conducting litigation on your behalf
• Opposing parties and their legal representatives: as required in the course of legal proceedings
• Expert witnesses and barristers: where instructed as part of your matter
• IT service providers: for case management software, document storage, and email (under data processing agreements)
• Accountants and auditors: for financial compliance purposes
• Regulatory and professional bodies: including the Dutch Bar Association (NOvA) if required

We do not sell, rent or otherwise disclose your personal data to third parties for commercial purposes.

7. International Transfers

Your personal data is stored and processed primarily on servers located within the European Economic Area (EEA). Where we use third-party service providers that may transfer data outside the EEA, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries with an adequacy decision under Art. 45 GDPR

You may request details of the safeguards applied to international transfers by contacting us at the address below.

8. Data Security

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, accidental loss, alteration or disclosure. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls and multi-factor authentication for internal systems
• Regular staff training on data protection and information security
• Secure disposal of physical documents
• Regular security reviews and vulnerability assessments

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and inform affected individuals without undue delay where required.

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You may request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): You may request deletion of your data in certain circumstances (the "right to be forgotten").
• Right to portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): You may object to processing based on legitimate interests or for direct marketing purposes.
• Right to restriction (Art. 18): You may request that we restrict processing of your data in certain circumstances.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at info@workrights.legal. We will respond within one calendar month. We may need to verify your identity before processing your request.

10. Cookies

We use cookies and similar tracking technologies on our website. For full details of the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

11. Minors

Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16 years of age. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete the data without delay.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by posting the updated policy on this page with a revised "last updated" date. Where required by law, we will seek your consent for significant changes. We encourage you to review this policy periodically.

13. Complaints

If you have concerns about how we handle your personal data, we encourage you to contact us first so we can address your concerns.

If you remain unsatisfied, you have the right to lodge a complaint with the Dutch supervisory authority:

14. Contact

For any questions about this Privacy Policy or to exercise your rights, please contact us: