PRIVACY POLICY

This privacy policy describes how personal data is collected, used, and protected in the context of interactions with the website https://bradulex.com and with the law firm Bradu, Neagu și Asociații – S.C.A., in accordance with Regulation (EU) 2016/679 on the protection of personal data and applicable national legislation.

The controller of personal data is the law firm Bradu, Neagu și Asociații – S.C.A., with its registered office at 45 Pavel D. Kiseleff Blvd., Sector 1, Bucharest – 011343, registered and operating in accordance with the provisions of Law No. 51/1995 on the organization and practice of the legal profession and the Statute of the Legal Profession, which processes personal data in the context of its professional activities, in strict compliance with the obligation of confidentiality and professional secrecy.

Depending on the nature of the legal relationship and the services provided, the firm may act either as a personal data controller or as a data processor, with the legal framework for processing being determined in each specific case based on the circumstances of the matter and the existing contractual relationship.

Typically, in the provision of legal services, Bradu, Neagu și Asociații – S.C.A. acts as an independent controller, as it determines the purposes and means of processing necessary for the performance of the mandate and compliance with professional obligations. In specific situations, the firm may also act as a processor on behalf of and at the client’s instructions, exclusively on the basis of a contract or an addendum that complies with the requirements of Article 28 of the GDPR. The company’s status as a controller or processor is determined for each processing activity, depending on the actual role and the applicable contractual framework.

With regard to data processed through the website, including via the contact form, correspondence sent to the email addresses displayed on the site, and technical data associated with its use, Bradu, Neagu și Asociații – S.C.A. generally acts as a personal data controller.

Personal data is collected directly from users, particularly when they fill out the contact form available on the website, submit requests via email, request information regarding legal services, or submit documents for a preliminary review. Additionally, when accessing the website, technical data such as the IP address, browser type, or information regarding how the site is used may be collected.

In certain situations, personal data may also come from sources other than the data subject, such as documents and information provided by clients, correspondence sent by their representatives, public records, courts, authorities, or other sources permitted by law, to the extent that such data is necessary for analyzing the request, verifying conflicts of interest, or providing legal services.

The data processed may include, depending on the situation, first name, last name, email address, phone number, position, the company represented, as well as any other information voluntarily provided by the data subject. Depending on the nature of the request and the mandate, the firm may also process identification data, including national identification number, ID card series and number, data from civil status documents, financial data, data included in documents, evidence, correspondence, and procedural documents, as well as, when relevant to the case under review, special categories of data within the meaning of Article 9 of the GDPR, such as data regarding health, trade union membership, political opinions, or other sensitive data. Furthermore, to the extent strictly necessary for the provision of legal services or the defense of legitimate rights and interests, data relating to criminal convictions and offenses or related security measures may also be processed, subject to the conditions permitted by law. All such data is processed exclusively to the extent necessary and under conditions of heightened confidentiality.

Not all categories of data listed above are processed in every case, but only those data that are adequate, relevant, and limited to what is necessary in relation to the specific purpose pursued.

Submitting a request via the website, by email, or through other means of communication does not automatically establish an attorney–client relationship and does not constitute acceptance of a retainer. Until the case is expressly accepted, the information provided is reviewed for preliminary purposes. However, the firm treats the information received as confidential and applies safeguards appropriate to the nature of the profession, including obligations arising from professional secrecy. To reduce the risk of unintentionally transmitting excessive data, users are encouraged not to transmit sensitive data except to the extent strictly necessary for describing the situation.

Prior to accepting a collaboration, the firm may conduct internal checks regarding the existence of potential conflicts of interest, in accordance with the legal and ethical obligations applicable to the legal profession. To conduct these preliminary checks, the firm may process minimal data, such as the name or business name of the potential client, the names or business names of opposing parties, as well as other relevant individuals, the general subject matter of the case, and the court or jurisdiction involved. If a conflict of interest is identified or the mandate is refused, the firm may maintain a minimal record of the verification performed, consisting, as a rule, of the relevant identities or names, the date of the verification, and its result, exclusively for the purpose of preventing future conflicts of interest and defending the firm’s legitimate rights and interests.

Users are encouraged not to provide excessive information or sensitive details prior to the confirmation of a contractual relationship, but only those elements necessary for a preliminary assessment of the request.

The firm reserves the right to refuse to accept requests received, without the obligation to provide a detailed justification, to the extent that they fall outside its area of expertise or raise issues incompatible with applicable professional obligations.

If the company refuses to accept the mandate, further processing of the data will be limited to what is necessary for recording the request, preventing conflicts of interest, and defending the company’s legitimate rights and interests, with the remaining information to be deleted or anonymized, as a rule, within a period not exceeding the time required to maintain the minimum record of the request, except in cases where retention is required by law or justified by an overriding legitimate interest.

The purposes of processing are specific and legitimate, aimed at analyzing received requests, communicating with individuals interested in legal services, assessing the appropriateness of initiating a collaboration, managing client relationships, as well as defending the company’s legitimate rights and interests in any judicial or administrative proceedings.

The legal grounds for processing are, as applicable, the performance of pre-contractual measures at the request of the data subject, the performance of the legal assistance contract, the fulfillment of legal obligations applicable to the company, the legitimate interest of the controller, and, where required by law or where the nature of the operation so requires, the consent of the data subject.

Specifically, personal data is processed to respond to requests submitted via the website, email, or telephone and to carry out pre-contractual measures at the request of the data subject, pursuant to Article 6(1)(b) of the GDPR; to conclude and perform the legal assistance contract and carry out the mandate, pursuant to Article 6(1)(b) of the GDPR; to fulfill the legal obligations applicable to the company, including financial and accounting obligations or other obligations provided by law, pursuant to Article 6(1)(c) of the GDPR; as well as for the administration and security of the website, the prevention of fraud or abuse, the management of security incidents, and the protection of the company’s legitimate rights and interests, pursuant to Article 6(1)(f) of the GDPR.

To the extent that special categories of data are processed within the meaning of Article 9 of the GDPR, such processing is carried out, as applicable, for the establishment, exercise, or defense of a legal claim, pursuant to Article 9(2)(f) of the GDPR, and/or based on the explicit consent of the data subject, where applicable. To the extent that data relating to criminal convictions and offenses are processed, such processing is carried out only under the conditions permitted by Union or national law and with appropriate safeguards.

In applying the principle of accountability, the company conducts periodic assessments of processing activities, including risk analyses and, where appropriate, analyses of legitimate interests or impact assessments, to ensure compliance with legal requirements and to protect the rights of data subjects.

Personal data is not used for unsolicited direct marketing purposes and is not subject to fully automated decision-making processes that produce legal effects on data subjects.

Personal data is retained for varying periods, depending on the purpose of processing and applicable legal obligations. In the case of initial requests and pre-contractual steps, including conflict-of-interest checks, the data strictly necessary for recording the request and documenting the correspondence may generally be retained for a period of up to 12 months from the conclusion of discussions or from the communication of the refusal of the mandate, , except in cases where retention is necessary to prevent future conflicts of interest or to defend the company’s rights. In the case of contractual relationships and accepted mandates, data is retained for the duration of the contractual relationship and thereafter for the period necessary for archiving the file, fulfilling legal obligations, and defending rights in court. In the case of disputes, complaints, investigations, or requests made by data subjects, data may be retained for the duration of the proceedings and thereafter for the applicable limitation periods. Financial and accounting documents and mandatory records are retained for the period provided for by Accounting Law No. 82/1991, currently 5 years calculated from July 1 of the year following the end of the fiscal year in which they were prepared, as well as for any other period required by law.

Data may be disclosed, to the extent strictly necessary, to IT service providers, hosting service providers, email service providers, technical maintenance providers, or other professional partners, only to the extent that their access is necessary for the provision of such services and based on contractual relationships that ensure compliance with data privacy and security requirements, as well as to public authorities, under the conditions and within the limits provided by law.

To the extent that, for certain technical or operational services, personal data is processed by providers using infrastructure located outside the European Economic Area, the company will ensure the application of appropriate safeguards in accordance with Chapter V of the GDPR, including, where applicable, based on adequacy decisions or standard contractual clauses.

To protect data, the company implements reasonable and appropriate technical and organizational measures to ensure an appropriate level of security for personal data, in relation to the nature, purpose, and risks of the processing. These measures include, as appropriate, restricting access to data, using technical protection solutions, and adopting internal work rules designed to reduce the risk of unauthorized access, disclosure, loss, or alteration of data.

In the event of a security incident affecting personal data, the company shall promptly assess the nature and impact of the incident and apply internal management and notification procedures. If the incident is likely to pose a risk to the rights and freedoms of data subjects, the company notifies the National Supervisory Authority for Personal Data Processing (ANSPDCP) without undue delay and, as far as possible, within 72 hours of becoming aware of the incident. If the incident is likely to result in a high risk, the company shall also inform the data subjects, under the conditions provided by law. In situations where the company acts as a data processor, it shall notify the data controller of the incident without delay.

The website may use cookies and similar technologies. Cookies strictly necessary for the website’s operation may be used without the user’s prior consent. For non-essential cookies, including those for analytics, performance, personalization, or marketing, the user’s consent will be requested in advance, under the conditions provided by Law No. 506/2004. Users may withdraw their consent at any time and modify their preferences through the cookie settings module available on the website. Refusing non-essential cookies does not generally affect access to the main content of the site. Detailed information regarding the categories of cookies used, their duration, and associated purposes will be provided in a separate Cookie Policy.

Data subjects are entitled to all rights provided by applicable law, namely the right of access, rectification, erasure, restriction, objection, and data portability. These rights may be exercised by sending a request to the email address office@bradulex.com or by submitting a written request to the company’s headquarters at 45 Pavel D. Kiseleff Blvd., Sector 1, Bucharest – 011343.

The exercise of certain rights may be limited to the extent that processing is necessary to comply with a legal obligation, to maintain professional records, to establish, exercise, or defend a right in court, or to comply with obligations arising from the practice of law.

Furthermore, data subjects have the right to contact the National Supervisory Authority for Personal Data Processing (ANSPDCP) and/or the competent courts if they believe that data processing is being carried out in violation of legal provisions.

This policy may be updated periodically, depending on legislative changes or the evolution of the company’s activities, with the updated version being permanently available on the website.

Last updated: March 27, 2026