DATA PROTECTION NOTICE

Lacuna Law & Cyber

Effective Date: 14.04.2026

1. Purpose

This Data Protection Notice outlines how Lacuna Law & Cyber processes personal data in the course of providing legal, cybersecurity, and digital risk advisory services. It supplements our Privacy Policy and reflects our commitment to compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

2. Scope

This Notice applies to:

  • Clients and prospective clients

  • Website users and inquiry submitters

  • Business partners and professional contacts

  • Individuals whose data is processed during advisory mandates (e.g., employees, stakeholders, incident-related data subjects)

3. Role as Data Controller / Processor

Depending on the nature of the engagement, Lacuna Law & Cyber may act as:

  • Data Controller: when determining the purposes and means of processing (e.g., client onboarding, communications)

  • Data Processor: when processing personal data on behalf of a client (e.g., during cyber incident response or investigations)

Where we act as a processor, we process data strictly in accordance with client instructions and applicable law.

4. Categories of Personal Data

We may process the following categories of personal data:

a. Identification & Contact Data

  • Name, title, organization

  • Email address, phone number

  • Professional role and affiliation

b. Client & Engagement Data

  • Information necessary for legal advisory and representation

  • Regulatory and compliance-related data

  • Documentation and records related to services provided

c. Technical & Cyber Incident Data

  • System logs, IP addresses, device identifiers

  • Incident-related data (e.g., breach data, compromised records)

  • Forensic and investigation-related information

d. Sensitive Data

Where necessary and lawful, we may process special categories of personal data (e.g., data revealed during incidents or investigations), subject to heightened safeguards.

5. Purpose of Processing

We process personal data for the following purposes:

  • Delivery of legal and cyber advisory services

  • Cyber incident response and containment

  • Regulatory compliance and reporting

  • Internal investigations and risk assessments

  • Governance and executive advisory

  • Business operations and client management

6. Legal Bases for Processing

We rely on one or more of the following legal bases:

  • Performance of a contract

  • Compliance with legal obligations

  • Legitimate interests (including risk management, service delivery, and security)

  • Establishment, exercise, or defense of legal claims

  • Explicit consent, where required

7. Data Sharing

Personal data may be shared, where necessary, with:

  • Clients (where acting as processor)

  • Regulatory authorities and supervisory bodies

  • Courts and law enforcement agencies

  • External legal counsel and professional advisors

  • Cybersecurity and IT service providers

All disclosures are made in compliance with applicable legal and confidentiality obligations.

8. International Transfers

Where data is transferred outside the EEA, appropriate safeguards are implemented, including:

  • Standard Contractual Clauses (SCCs)

  • Transfers to jurisdictions with adequacy decisions

  • Other lawful mechanisms under GDPR

9. Data Retention

We retain personal data only for as long as necessary to:

  • Fulfill contractual and professional obligations

  • Comply with legal and regulatory requirements

  • Protect legal rights and manage risk

Retention periods are determined based on the nature of the data and applicable obligations.

10. Data Security

We implement robust technical and organizational measures, including:

  • Access controls and role-based permissions

  • Encryption and secure communication channels

  • Incident detection and response protocols

  • Confidentiality and legal privilege protections

11. Data Subject Rights

Individuals have the following rights under applicable law:

  • Right of access

  • Right to rectification

  • Right to erasure

  • Right to restriction of processing

  • Right to object

  • Right to data portability

Requests can be submitted to: ilvana@lacunalawcyber.com

12. Legal Professional Privilege

As a legal advisory firm, certain data processed may be subject to legal professional privilege. Such data is protected and may be exempt from disclosure in accordance with applicable laws.

13. Incident Handling & Breach Response

In the event of a data breach, we:

  • Assess and contain the incident promptly

  • Support clients in meeting GDPR notification obligations (including the 72-hour rule)

  • Coordinate with supervisory authorities where required

  • Document and remediate risks

14. Governance & Accountability

We maintain internal data protection governance structures, including:

  • Policies and procedures aligned with GDPR

  • Data protection by design and by default

  • Ongoing risk assessments and compliance reviews

Where applicable, we may act as or support a Data Protection Officer (DPO) function.

15. Updates

This Data Protection Notice may be updated periodically to reflect legal, regulatory, or operational changes.

16. Contact

For any questions regarding this Notice or data protection practices:

Email: ilvana@lacunalawcyber.com
Phone: +355 69 207 0412

Lacuna Law & Cyber
Cybersecurity. Data Protection. Digital Regulation. Executive Risk Governance.