PRivacy statement

General and scope

  1. Pack2 A B.V., CAP Advisory B.V. or any other entity affiliated with the law firm Pack2 (Pack2) is the controller within the meaning of article 4(7) of the General Data Protection Regulation (Regulation (EU) 2016/679) (hereinafter: GDPR) for the processing of personal data described in this privacy statement.

  2. This privacy statement applies to all personal data processed by Pack2 in connection with:

  1. the provision of legal and advisory services to clients;

  2. the operation of Pack2's website (www.pack2.nl);

  3. recruitment and selection activities; and

  4. other business operations of Pack2;


  1. Pack2 processes personal data in accordance with the GDPR and the Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming, hereinafter: UAVG).

  1. Categories of personal data processed

    1. Depending on the context, Pack2 may process the following categories of personal data:

  1. Identification data: full name, gender, date of birth, copy of a valid identity document (where required under the Wwft or other applicable law);

  2. Contact details: postal address, email address, telephone number;

  3. Professional information: employer, job title, professional qualifications, bar registration details;

  4. Financial data: bank account number, invoicing details, payment history;

  5. Case-related data: information provided by or about a data subject in connection with the provision of legal services, including correspondence, court documents, and information received from third parties such as opposing parties, courts, and public registers;

  6. Special categories of personal data: Pack2 may, in limited circumstances, process special categories of personal data within the meaning of article 9 GDPR (such as health data or data relating to criminal convictions or offences) where this is strictly necessary for the conduct of legal proceedings or for compliance with a legal obligation;

  7. Recruitment data: curriculum vitae, application letters, professional references, and assessment results; and

  8. Communication and website data: correspondence with Pack2 and, to the extent applicable, website usage data.

  1. Purposes and legal bases for processing

    1. Pack2 processes personal data only for specified, explicit, and legitimate purposes. The table below sets out the main processing activities, the applicable legal basis under article 6 GDPR, the categories of data involved, and the applicable retention period.]


Purpose of processing

Legal basis (Art. 6 GDPR)

Categories of data

Retention period

Providing legal and advisory services to clients

Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c))

Identification, contact, professional, financial, case-related data

7 years after end of Engagement 

Compliance with anti-money laundering obligations (Wwft)

Legal obligation (Art. 6(1)(c))

Identification data, financial data, UBO information

5 years after end of business relationship (Wwft requirement)

Invoicing and financial administration

Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f))

Identification, contact, financial data

7 years (Dutch tax retention obligation)

Recruitment and selection

Consent (Art. 6(1)(a)); legitimate interests (Art. 6(1)(f))

Recruitment data, contact details

4 weeks after end of procedure (or up to 1 year with consent)

Operating and improving the website

Legitimate interests (Art. 6(1)(f)); consent where required

Communication and website data

See cookie notice on www.pack2.nl

Complying with court orders, regulatory requests, or other legal obligations

Legal obligation (Art. 6(1)(c))

As required by the relevant legal obligation

As required by law


  1. Sources of personal data

    1. Pack2 may receive personal data from the following sources:

  1. directly from the data subject (e.g., in the context of an Engagement or a job application);

  2. from third parties acting in connection with an Engagement, such as opposing parties, co-counsel, courts, notaries, or public authorities;

  3. from publicly available sources, such as the Chamber of Commerce register (handelsregister), the land register (Kadaster), or court registers; and

  4. from clients providing information about their counterparties or other third parties in connection with a matter.


  1. Where Pack2 receives personal data about a data subject from a source other than the data subject, Pack2 will provide the information required under article 14 GDPR within a reasonable period, unless an exception under article 14(5) GDPR applies (for example, where providing such information would be impossible or would require disproportionate effort, or where doing so would prejudice the legitimate purposes of the processing in connection with legal proceedings).

  • Sharing of personal data with third parties

    1. Pack2 does not sell personal data to third parties. Pack2 shares personal data with third parties only to the extent necessary for the purposes set out herein 4 or as required by law. Third parties with whom Pack2 may share personal data include:

  1. other law firms, counsel, or advisers engaged in connection with an Engagement;

  2. courts, arbitral tribunals, and other dispute resolution bodies;

  3. opposing parties and their representatives, to the extent required or permitted in the context of legal proceedings or negotiations;

  4. notaries, bailiffs, and other judicial officers;

  5. IT service providers and other processors acting on behalf of Pack2 under a data processing agreement (verwerkersovereenkomst) as referred to in article 28 GDPR;

  6. accountants, tax advisers, and auditors engaged by Pack2; and

  7. competent authorities, regulators, and supervisory bodies where disclosure is required by law (including under the Wwft).


  1. Where Pack2 engages a processor within the meaning of article 4(8) GDPR (i.e., a party processing personal data on Pack2's behalf and under Pack2's instructions), Pack2 shall conclude a data processing agreement with that processor in accordance with article 28 GDPR. Third parties who process personal data for their own independent purposes (such as an accountant or a notary acting in their own capacity) are themselves responsible for compliance with the GDPR in respect of that processing.

  1. Retention of personal data

    1. Pack2 retains personal data no longer than is necessary for the purposes for which it was collected, or for as long as required by applicable law or regulation. The main retention periods are set out in the table in clause 3.1.

    2. For legal files, Pack2 applies a standard retention period of seven (7) years after the end of the relevant Engagement, consistent with the statutory limitation period under Section 3:310 of the Dutch Civil Code and standard professional practice. Pack2 may retain personal data for a longer period where this is necessary for the establishment, exercise, or defence of legal claims, or where a longer statutory retention obligation applies (for example, the five-year Wwft retention obligation or the seven-year tax administration obligation).

  2. International transfers of personal data

    1. Pack2 does not structurally transfer personal data to countries outside the European Economic Area (EEA). If Pack2 does transfer personal data to a third country in connection with a specific Engagement (for example, in the context of a cross-border transaction), Pack2 shall ensure that an appropriate safeguard within the meaning of article 46 GDPR is in place, such as the standard contractual clauses adopted by the European Commission, unless a derogation under article 49 GDPR applies.

  3. Security of personal data

    1. Pack2 implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, alteration, or disclosure, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks to the rights and freedoms of natural persons (article 32 GDPR).

    2. Where Pack2 engages processors, Pack2 shall contractually require those processors to implement equivalent security measures. Notwithstanding the foregoing, Pack2 cannot guarantee absolute security and is not liable for any unauthorised access that occurs despite Pack2's reasonable security measures.

  4. Rights of data subjects

    1. Data subjects whose personal data Pack2 processes have the following rights under the GDPR:

  1. Right of access (article 15 GDPR): the right to obtain confirmation of whether Pack2 processes personal data concerning the data subject and, if so, to receive a copy of that data;

  2. Right to rectification (article 16 GDPR): the right to have inaccurate personal data corrected and incomplete personal data completed;

  3. Right to erasure (article 17 GDPR): the right to request deletion of personal data, subject to the exceptions provided in article 17(3) GDPR (including where retention is required by law or for the establishment, exercise, or defense of legal claims);

  4. Right to restriction of processing (article 18 GDPR): the right to request that processing be restricted in certain circumstances;

  5. Right to data portability (article 20 GDPR): the right to receive personal data in a structured, commonly used, and machine-readable format, where processing is based on consent or contract and is carried out by automated means;

  6. Right to object (article 21 GDPR): the right to object to processing based on legitimate interests or for direct marketing purposes; and

  7. Right to withdraw consent (article 7(3) GDPR): where processing is based on consent, the right to withdraw that consent at any time, without affecting the lawfulness of processing prior to withdrawal.


  1. To exercise any of the above rights, the data subject may submit a written request to Pack2 by email at info@pack2.nl. Pack2 shall respond within one (1) month of receipt of the request in accordance with article 12(3) GDPR. This period may be extended by a further two (2) months where the complexity or number of requests so requires, in which case Pack2 shall notify the data subject of the extension within one (1) month of receipt.

  2. Pack2 may decline a request, in whole or in part, where an exception under the GDPR applies, including where complying with the request would conflict with Pack2's duty of professional confidentiality, a legal retention obligation, or the rights of third parties. Pack2 shall inform the data subject of any such refusal.

  3. Data subjects have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) via www.autoriteitpersoonsgegevens.nl.

  1. Website and cookies

    1. Pack2's website (www.pack2.nl) may use cookies or similar tracking technologies. Where Pack2 uses non-essential cookies (i.e., cookies that are not strictly necessary for the functioning of the website), Pack2 shall request the visitor's prior consent in accordance with article 6(1)(a) GDPR and the Dutch Telecommunications Act (Telecommunicatiewet).

    2. A separate cookie notice describing the types of cookies used, their purposes, and the options available to visitors is available on www.pack2.nl.

  2. Amendments to this privacy statement

    1. Pack2 may amend this privacy statement from time to time, for example to reflect changes in applicable law or Pack2's processing activities. The most recent version of this privacy statement is always available on www.pack2.nl. Where required by law, Pack2 shall notify data subjects of material changes.


Contact

Careers

LinkedIN

Privacy

Terms & Conditions

Contact

Careers

LinkedIN

Privacy

Terms & Conditions

Contact

Careers

LinkedIN

Privacy

Terms & Conditions