This Data Transfer and Privacy Policy (the "Policy") outlines our general practices and procedures implementing appropriate standards in relation to (i) the types of personal data the Firm's offices receive from the EU and/or Greece (ii) how that personal data is used; and (iii) the options available to a specific individual in the EU or Greece (also referred to as the “data subject”) in relation to the Firm’s use of, and their ability to correct or request deletion of, the personal data relating to them.

Scope: This Policy applies to all "personal data" that the Firm receives from the EU and/or Greece that pertains to, a specific individual in the EU or Greece, can be linked to that individual, and is recorded in any form.

Notice: If we obtain personal data directly from individuals in the EU and/or Greece, we will inform those individuals about (i) why we are collecting and using their personal data; (ii) the types of third parties to whom we may disclose that personal data; (iii) each individual’s rights regarding their data; and (iv) how an individual may contact us. We will provide notice of the foregoing in clear and conspicuous language when individuals are first asked to provide personal data to us, or as soon as practicable thereafter, and in any event before we use or disclose the information for a purpose other than that for which it was originally collected. Consent for personal data to be collected, used, and/or disclosed in certain ways may be required in order for an individual to obtain or use the Firm's services. Alternatively, we process personal data as may be necessary for the Firm’s legitimate interests in managing its business, delivering legal services to clients and for the fulfilment of its contractual obligations.

Choice:  Where acting as a data controller (i.e., the person or entity that determines the purposes for which, and the manner in which, any personal data is processed), we will offer individuals the opportunity to choose (i.e., opt-out) whether their personal data is (i) to be disclosed to a non-agent third party, or (ii) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For special categories of personal data, we will give individuals the opportunity to affirmatively and explicitly (i.e., opt-in) consent to the disclosure of such personal data to a non-agent third party or the use of such personal data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. In connection with client engagements and at the direction of the Firm’s clients, we may process personal data of data subjects with whom the Firm has no direct relationship. We may disclose personal data to (i) agents as provided herein, and (ii) non-agent third parties for the purposes of, and as directed by, the client in connection with which that personal data was collected. In receiving such personal data from its clients, we will obtain an affirmation from such clients that all personal data transferred to us is transferred in accordance with all applicable international data protection legislation.

Onward Transfer: We will use commercially reasonable efforts to obtain assurances from third parties to whom they transfer data that they will safeguard personal data consistent with this Policy. If we discover that an agent is using or disclosing personal data in a manner contrary to this Policy, we will take commercially reasonable steps to prevent or stop the use or disclosure.

Security: We will take commercially reasonable precautions to protect personal data in its possession from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.

Data Integrity: We will use personal data only in ways that are compatible with the purposes for which we collected the data or in a manner that the data subject or client subsequently authorized. To the extent necessary, we will take commercially reasonable steps to ensure that personal data is relevant to its intended use, accurate, complete, and current.

Access: Upon request, we will provide individuals with information about the personal data that it holds about them in the Firm’s role as data controller. If an individual becomes aware that information the Firm maintains about that individual is inaccurate, or if an individual would like to update, review or erase his or her information, the individual may contact the Firm at info@emzlaw.com. The individual may need to provide sufficient identifying information to allow the Firm to confirm the individual’s identity.

Enforcement: We will periodically audit our relevant privacy practices to confirm that the Firm is adhering to this Policy. Any partner or employee who we determine is violating or has violated this Policy may be subject to disciplinary action up to and including termination.

Dispute Resolution - Human Resource Data: Any questions or concerns regarding the use or disclosure of our human resource data should be directed to the Firm's HR Director or the Director of Administration. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal data by reference to the European General Data Protection Regulation Principles and this Policy. For unresolved complaints related to our human resources data for partners and employees in the EU offices, We will cooperate with the European National Supervisory Authorities.

Dispute Resolution - Client Data: Any questions or concerns regarding the use or disclosure of client-related personal data should be directed to the Firm at info@emzlaw.com. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal data by reference to the GDPR and this Policy.

Limitations of the GDPR and this Policy: E. M. Zafeiropoulos & Associates adherence to the GDPR and this Policy will be limited as permitted by the GDPR: (i) to the extent necessary to meet national security, public interest, or law enforcement requirements, (ii) by statute, government regulation, or case law that creates conflicting obligations or authorizations, provided that, in exercising any such authorization, the Firm’s non-adherence is limited to the extent necessary to meet the overriding legitimate interests the Firm furthers, or (iii) if the effect of the EU Regulation on Data Protection (the "GDPR"), EU Member State law, or the Swiss Federal Act on Data Protection (the “FADP”) is to allow exceptions or derogations, provided the Firm applies such exceptions or derogations in comparable contexts. Further, because we are a law firm providing legal advice, adherence to certain of the GDPR (including Notice, Choice and Access), is limited with respect to personal data that the Firm processes and uses in certain respects, including, but not limited to, the establishment of a legal claim or defense or the representation of a client's interests and rights in an acquisition, merger, joint venture or other transaction. Personal data may also be subject to ethical duties of confidentiality or privilege.

E. M. Zafeiropoulos & Associates considers the internet and the use of other technologies to be valuable tools to communicate and interact with clients, employees, agents, business associates, and others. We recognize the importance of maintaining the privacy of information collected online and has created a specific Website Privacy Policy governing the treatment of personal data collected through web sites that it operates. The Website Privacy Policy is subordinate to this Policy. However, the Website Privacy Policy may reflect additional legal requirements with respect to internet privacy. The Website's Privacy Policy can be found at www.emzlaw.com.

Contacts for Questions and Concerns

Questions and concerns regarding this Policy should be directed to the Firm at info@emzlaw.com.

CHANGES TO THIS DATA TRANSFER AND PRIVACY POLICY

This Policy may be amended from time to time.

Last Updated: March 2, 2020