+423 377 34 04

office@frick.legal

frick.legal logo

ABOUT

Services

Newsroom

Contact

Contact

+423 377 34 04

office@frick.legal

frick.legal logo

Contact

Contact

+423 377 34 04

frick.legal logo

Contact

Contact

Privacy Policy

PRIVACY POLICY


This Privacy Notice explains how we process personal data when you visit our website, contact us, and in the context of a client engagement (mandate), in accordance with the General Data Protection Regulation (GDPR), the Liechtenstein Data Protection Act (DSG) and other applicable sector-specific provisions.


  1. Controller

The controller within the meaning of Art. 4(7) GDPR is:

frick.legal – Attorney at Law Timo Frick
Rhigass 1
LI-9487 Gamprin
Telephone: +41 76 76 238 90
Email: tf@frick.legal
Website: www.frick.legal


  1. Supervisory authority and complaints

The competent supervisory authority in the EEA is:

Data Protection Office, Principality of Liechtenstein
Städtle 38, P.O. Box 684
FL-9490 Vaduz
Telephone: +423 236 60 90
Email: info.dss@llv.li
Web: www.datenschutzstelle.li

You have the right to lodge a complaint with the Data Protection Office or with another competent supervisory authority if you consider that the processing of your personal data infringes data protection law (Art. 77 GDPR).


  1. Contact point for data protection matters

For any questions relating to data protection and to exercise your data subject rights (see Section 13), please contact:

Attorney at Law Timo Frick
Email: info@frick.legal
Postal address: Rhigass 1, LI-9487 Gamprin

We have not appointed a Data Protection Officer within the meaning of Art. 37 GDPR, as the statutory requirements are not currently met.


  1. Definitions and legal bases

The terms used in this notice (e.g. “personal data”, “processing”, “controller”, “processor”) follow the definitions in the GDPR and the corresponding provisions of the Liechtenstein DSG.

We process personal data in particular on the following legal bases:

  • Art. 6(1)(b) GDPR – performance of a contract / steps prior to entering into a contract (e.g. handling an enquiry regarding a mandate; arranging an appointment).

  • Art. 6(1)(c) GDPR – compliance with a legal obligation (e.g. professional retention obligations; where applicable, due diligence obligations).

  • Art. 6(1)(f) GDPR – legitimate interests (e.g. operating a secure and functional website; IT security; establishing, exercising or defending legal claims).

  • Art. 6(1)(a) GDPR – consent, where obtained in a specific case (in particular for non-essential cookies/tracking).

Where special categories of personal data within the meaning of Art. 9 GDPR (e.g. health data) or data relating to criminal convictions and offences within the meaning of Art. 10 GDPR are processed, this will only occur where the additional conditions for such processing are met, in particular where necessary for the establishment, exercise or defence of legal claims or where another applicable legal basis exists.


  1. Processing when you visit the website (server log files)

When you access our website, the web server automatically records information in so-called server log files, in particular:

  • IP address of the requesting device

  • date and time of the request

  • page/URL accessed and, where applicable, referrer URL

  • browser used, operating system, language settings

  • HTTP status code and data volume transferred

These data are technically necessary to deliver the website and to ensure stability and security (e.g. defence against attacks) as well as, where appropriate, to carry out troubleshooting.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating a secure, stable and technically sound website).

Log files are generally stored only for as long as necessary for the purposes stated; as a rule, the retention period is a few days up to a few weeks, unless longer retention is required for evidentiary purposes (e.g. in the event of security incidents).


5a. Web hosting by Framer (including CDN/edge delivery)

This website is built with Framer and delivered via Framer’s hosting infrastructure.

Provider: Framer B.V., Netherlands.

In the course of hosting, Framer processes technical data necessary for delivery, stability and security (in particular IP address, time of access, pages/files accessed, device and browser information, and technical log data). Delivery may take place via a globally distributed edge/CDN infrastructure.

Due to Framer’s infrastructure, processing outside the EEA, in particular in the United States (AWS), cannot be ruled out. Where this results in a transfer to a third country, the provisions in Section 12 apply.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating the website securely and efficiently).


  1. Cookies, consent management and withdrawal

Our website may use cookies or similar technologies (small files stored on your device) – both for essential functions and for optional purposes (e.g. audience measurement).

  • Essential cookies: required to provide core website functions (e.g. page rendering, security functions, session handling).
    Legal basis: Art. 6(1)(f) GDPR.

  • Non-essential cookies/technologies (e.g. web analytics; loading external content such as embedded widgets): used only with your consent where required by law.
    Legal basis: Art. 6(1)(a) GDPR.

If a cookie/consent banner is used, you can adjust or withdraw your consent(s) at any time with effect for the future (“Cookie settings”). Independently of this, you can delete or block cookies via your browser settings; please note that certain website functions may then be unavailable.


6a. Web analytics with Google Analytics (Google Analytics 4)

We use Google Analytics 4 to analyse the use of our website and to improve our services. In doing so, information about your usage behaviour (e.g. pages visited, interactions), technical information about your browser/device and pseudonymous identifiers may be processed. Google Analytics typically uses cookies or similar technologies for this purpose.

Provider: Google Ireland Limited (EU). Depending on the technical set-up, processing may also be carried out by Google LLC (USA) and/or within the Google group (see Section 12).

Legal basis: consent (Art. 6(1)(a) GDPR), where required by law. Without consent, Google Analytics is not used, or is used only to the extent legally permissible.

Objection/opt-out:

Further information (Google Partner Sites):
https://policies.google.com/technologies/partner-sites


6b. Appointment scheduling with Calendly (embedded widget)

We use Calendly for online appointment scheduling. A Calendly widget is embedded on our website. When you access the page on which the widget is embedded, a connection to Calendly servers is established. In particular, the following data may be processed:

  • contact data you provide during booking (e.g. name, email address, where applicable telephone number)

  • appointment/calendar information (e.g. preferred time slot, time zone, subject/notes)

  • technical and log data (e.g. IP address, device/browser information, time of access, where applicable cookie or similar online identifiers)

The purpose is to provide and carry out appointment bookings and to ensure the stability and security of the scheduling function.

Provider: Calendly LLC, USA (see Section 12).

Legal basis:

  • Art. 6(1)(b) GDPR (steps prior to entering into a contract/communications and appointment organisation).

  • Where the loading of the widget and/or the use of cookies/similar technologies requires consent, the legal basis is your consent (Art. 6(1)(a) GDPR) via the cookie/consent settings (see Section 6).


  1. Contacting us (email, telephone, post, contact forms)

If you contact us by email, telephone, post or via one of the contact forms provided on our website, we process your details in order to handle and respond to your enquiry. This typically includes:

  • identity and contact data (e.g. name, email address, telephone number, postal address)

  • content of communications (enquiries, information about the matter, documents)

  • metadata (time of contact, internal processing notes)

Contact forms (Framer) – two forms
Two contact forms are available on the website (including via the contact page; example link:
https://magical-work-730721.framer.app/contact).
When you submit a form, the data you enter are received by Framer and then forwarded as an email from a Framer server to a @frick.legal address. In addition, technical log data (e.g. IP address, time and status of submission) may be processed to ensure secure operation.

Incoming form emails are processed and stored in our email system (Google Workspace) (see Sections 10 and 12).

Where Framer acts as a processor, this is based on an agreement under Art. 28 GDPR (DPA). Due to Framer’s infrastructure, processing outside the EEA, in particular in the United States (AWS), cannot be ruled out; in such cases, Section 12 applies.

Legal bases:

  • Art. 6(1)(b) GDPR where your enquiry relates to entering into or performing a mandate agreement.

  • Art. 6(1)(f) GDPR where the enquiry is of a general nature (legitimate interest in efficiently handling enquiries and operating functioning contact channels).


  1. Client, prospective client and case data

In the context of mandates or steps leading up to a mandate, we process in particular:

  • master data (e.g. name, address, contact details, where applicable role/position)

  • mandate data and correspondence (facts of the case, correspondence, procedural documents, contracts, opinions, notes)

  • billing-related data (time records, fee invoices, payment information)

  • where applicable, data for statutory due diligence obligations (e.g. identification data, beneficial ownership information)

  • depending on the mandate, special categories of data (Art. 9 GDPR) and/or data under Art. 10 GDPR, where necessary and lawful.

Purposes:

  • assessing whether to accept a mandate (including conflict checks)

  • legal advice and representation

  • administration and documentation

  • compliance with statutory documentation and retention obligations

  • establishment, exercise or defence of legal claims

Legal bases:

  • Art. 6(1)(b) GDPR

  • Art. 6(1)(c) GDPR

  • Art. 6(1)(f) GDPR

  • additionally, for Art. 9 data in particular Art. 9(2) GDPR (especially lit. f), and Art. 10 GDPR to the extent permissible.


  1. Retention and deletion

We store personal data only for as long as necessary for the purposes stated or for as long as statutory retention obligations apply.

In particular:

  • Server log files: typically a few days up to a few weeks (see Section 5).

  • General enquiries without a mandate: as a rule, deletion/anonymisation within 12 months after completion, unless longer retention is required (e.g. for the defence of legal claims).

  • Mandate and case files: retained in accordance with professional rules and other statutory requirements; in practice typically up to 10 years from the end of the mandate, unless longer statutory periods apply or longer retention is necessary to establish/defend legal claims.

After the relevant periods expire, data are deleted or anonymised unless overriding legitimate interests or legal obligations prevent deletion (e.g. ongoing proceedings).


  1. . Recipients and categories of recipients

Personal data are shared only to the extent necessary, in particular with:

  • IT and hosting service providers (Framer; including sub-processors such as hosting/infrastructure providers)

  • Google (Google Workspace for email/collaboration; Google Analytics for web analytics)

  • Calendly (appointment scheduling)

  • where applicable, external advisers (e.g. tax advisers, other lawyers, experts), where necessary for the mandate

  • courts, authorities, opposing parties and other participants in proceedings, where required to protect your interests or legally mandated

  • banks, insurers and other contractual counterparties, where required for contract performance or legal enforcement

Where service providers act as processors, this is based on an agreement under Art. 28 GDPR (DPA).

We do not disclose your data for third-party advertising purposes.


  1. . Data security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This includes access restrictions, authorisation concepts, encryption of data transmissions (TLS/SSL) and careful selection and contractual binding of service providers.

Please note that communication by email may have security vulnerabilities. For particularly confidential information, we recommend using a secure transmission method (e.g. encrypted communication).


  1. . Transfers to third countries

Personal data are transferred to countries outside the European Economic Area (“third countries”) only where necessary for the performance of a contract/steps prior to entering into a contract, where required by law, or where appropriate safeguards under Art. 44 et seq. GDPR are in place.

Switzerland (adequacy decision)
From a GDPR perspective, transfers to Switzerland are generally considered transfers to a country with an adequate level of protection (Art. 45 GDPR).

USA and other third countries
Where we use services whose infrastructure is (also) operated in the USA or other third countries, or where international matters require it, personal data may be transferred to and/or processed in third countries. Depending on the circumstances, we rely on:

  • an adequacy decision (Art. 45 GDPR), where available (e.g. EU–U.S. Data Privacy Framework, if the recipient is duly certified),

  • appropriate safeguards (Art. 46 GDPR), in particular EU Standard Contractual Clauses (SCCs),

  • or, where applicable, an exception under Art. 49 GDPR (e.g. necessity for contract performance or for the establishment, exercise or defence of legal claims).

Specific providers / typical scenarios:

  • Framer / AWS (USA): Website hosting, delivery (edge/CDN) and the contact forms run via Framer; this may involve processing/transfers to the USA (AWS) (e.g. IP address and technical log data when accessing the site, and form content when submitting). Where required, appropriate safeguards (in particular SCCs under Framer’s DPA) may be used.

  • Google Workspace & Google Analytics (USA / global infrastructure): For email/collaboration (Google Workspace) and web analytics (Google Analytics), processing in third countries (in particular the USA) cannot be ruled out depending on the technical set-up. Depending on the circumstances, transfer mechanisms may include adequacy mechanisms (e.g. DPF certification) and/or appropriate safeguards (in particular SCCs).

  • Calendly (USA): A Calendly widget is embedded for appointment scheduling. This can involve processing/transfers to the USA already when the relevant page is accessed (e.g. IP address, technical log data, and—when booking—the contact and appointment details you enter). Depending on the circumstances, appropriate safeguards (in particular SCCs) and/or an adequacy mechanism may be used.

Information on safeguards:
Where SCCs or other appropriate safeguards are used, you may request information about them via the contact details in Section 3, insofar as this is possible without breaching duties of confidentiality and legal professional privilege.


  1. . Your rights as a data subject

Subject to the statutory conditions, you have the following rights in particular:

  • right of access (Art. 15 GDPR)

  • right to rectification (Art. 16 GDPR)

  • right to erasure (Art. 17 GDPR)

  • right to restriction of processing (Art. 18 GDPR)

  • right to data portability (Art. 20 GDPR)

  • right to object (Art. 21 GDPR), where processing is based on Art. 6(1)(e) or (f) GDPR

  • right to withdraw consent (Art. 7(3) GDPR) with effect for the future

These rights are exercised subject to legal professional privilege and duties of confidentiality. Where such duties apply, we may only disclose information to the extent permitted by law and may be required to restrict data subject rights accordingly.

To exercise your rights, an informal notice (e.g. by email) to the contact details in Section 3 is sufficient.

You also have the right to lodge a complaint with a supervisory authority (see Section 2).


  1. . Requirement to provide data / no automated decision-making

When using the website, you are generally not obliged to provide personal data. However, certain data (e.g. IP address, browser data) are technically necessary to display the website.

To enter into and perform a mandate, it is necessary to provide the personal data required for acceptance and handling of the mandate or that we are legally obliged to collect. Without these data, a mandate generally cannot be entered into or fully performed.

We do not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR.


  1. . Personal data breaches (data breach notification)

We have implemented processes to identify, assess and document personal data breaches (“data breaches”) as early as possible.

Where required under the GDPR, the DSG or other applicable provisions, we will notify the competent supervisory authority (in particular the Data Protection Office, Liechtenstein) without undue delay and, where legally required, affected individuals. In doing so, we will provide information on the nature of the breach, possible consequences and the remedial measures taken or proposed.


  1. . Changes to this Privacy Notice

We may update this Privacy Notice if legal or technical conditions change or if the scope of processing changes. The current version published on this website is authoritative.

‹ Bar Exam Preparation

Imprint ›

Contact

Contact