Privacy Policy

Last updated: May 2026

Agapitos, Georgiou & Partners Law Firm respects your privacy and is committed to protecting your personal data.

This Privacy Policy explains how Agapitos, Georgiou & Partners Law Firm (“we”, “us”, “our” or the “Firm”) collects, uses, stores, discloses and otherwise processes personal data when you visit our website, contact us, request legal services, instruct us, or otherwise interact with us.

We process personal data in accordance with applicable data protection laws, including Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”), Greek Law 4624/2019, as amended, and applicable Greek data protection and electronic communications legislation.

This Privacy Policy does not form part of any client engagement letter or legal services agreement. If you become our client, additional terms may apply to our professional relationship.

1. Who We Are

The data controller responsible for the processing of personal data described in this Privacy Policy is:

Agapitos, Georgiou & Partners Law Firm
41, Solonos Street
Athens, 106 72
Attiki, Greece
Email: contact@agapitosgeorgiou.com

For privacy-related questions or requests, you may contact us using the above details.

We have not appointed a Data Protection Officer because we are not currently required to do so under Article 37 GDPR.

2. Scope of This Privacy Policy

This Privacy Policy applies to personal data we process in connection with:

  • our website at www.agapitosgeorgiou.com;

  • communications submitted through our website, by email, telephone, post, or other means;

  • legal enquiries and prospective client matters;

  • legal services provided by the Firm;

  • client onboarding, conflict checks, compliance checks, billing, accounting, and administration;

  • newsletters, legal updates, events, and similar communications; and

  • our professional, regulatory, tax, accounting, and legal obligations.

This Privacy Policy applies to personal data relating to clients, prospective clients, website users, business contacts, counterparties, witnesses, experts, consultants, service providers, representatives of legal entities, and other individuals whose personal data may be processed in connection with our legal practice.

3. Personal Data We Collect

We may collect and process different categories of personal data depending on your relationship with us and the context in which we interact with you.

Personal data you provide to us may include:

  • your name;

  • email address;

  • telephone number;

  • postal address;

  • company, organisation, or employer details;

  • job title or professional role;

  • identification and verification information;

  • billing, invoicing, and payment information;

  • information submitted through our website contact forms;

  • information contained in emails, letters, documents, attachments, telephone calls, meetings, or other communications;

  • information relating to legal enquiries, disputes, transactions, advisory matters, or other legal issues;

  • information you provide when subscribing to newsletters or legal updates; and

  • any other information you voluntarily provide to us.

Personal data we may collect automatically when you use our website may include:

  • IP address;

  • browser type and version;

  • device type;

  • operating system;

  • referring website;

  • pages visited;

  • date and time of access;

  • website usage and navigation data;

  • cookie identifiers and similar technical data; and

  • security logs and diagnostic information.

Personal data we may receive from third parties may include:

  • information provided by clients in connection with legal matters;

  • information provided by counterparties, witnesses, experts, consultants, professional advisers, courts, tribunals, regulators, public authorities, public registers, or other persons involved in a legal matter;

  • information obtained from publicly available sources; and

  • information obtained for conflict checks, client due diligence, compliance, legal proceedings, or the provision of legal services.

4. Personal Data Not Obtained Directly From You

In the course of providing legal services, we may receive personal data about individuals from sources other than the individual concerned. This may include personal data about counterparties, witnesses, employees, directors, shareholders, beneficial owners, family members, experts, consultants, public officials, court personnel, or other persons connected with a legal matter.

Such personal data may be provided by clients, counterparties, courts, tribunals, public authorities, professional advisers, public registers, publicly available sources, or other third parties.

Where required by law, we will provide information to such individuals about our processing of their personal data. However, in certain cases, providing such information may be impossible, involve disproportionate effort, seriously impair the purpose of the processing, or be restricted by legal professional privilege, professional secrecy, confidentiality obligations, court rules, regulatory obligations, or applicable law.

5. Special Category Data and Criminal Offence Data

In the course of providing legal services, we may process personal data that is considered “special category data” under GDPR. This may include data relating to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, sexual orientation, biometric data, genetic data, or other sensitive information, where relevant to a legal matter.

We may also process personal data relating to criminal convictions, criminal offences, allegations, investigations, sanctions, security measures, or related proceedings where permitted by applicable law and where necessary in connection with legal advice, legal proceedings, regulatory obligations, or the establishment, exercise, or defence of legal claims.

We will process such data only where permitted by applicable law, including where necessary for:

  • the establishment, exercise, or defence of legal claims;

  • legal proceedings or prospective legal proceedings;

  • the provision of legal advice in connection with a legal matter;

  • compliance with legal, regulatory, or professional obligations;

  • reasons of substantial public interest, where applicable;

  • the protection of vital interests, where applicable;

  • explicit consent, where required and appropriate; and

  • another lawful basis permitted by GDPR or applicable Greek law.

6. Purposes for Which We Use Personal Data

We may process personal data for the following purposes:

  • responding to enquiries and communications;

  • assessing whether we can act for a prospective client;

  • conducting conflict checks;

  • conducting client onboarding, identity verification, anti-money laundering checks, sanctions checks, and other compliance checks where required;

  • providing legal advice and legal services;

  • managing client matters, case files, transactions, disputes, negotiations, proceedings, and related work;

  • communicating with clients, prospective clients, counterparties, courts, tribunals, regulators, public authorities, experts, consultants, and professional advisers;

  • preparing, reviewing, negotiating, filing, serving, or exchanging legal documents;

  • issuing invoices and managing payments, accounting, and financial administration;

  • complying with legal, regulatory, tax, accounting, anti-money laundering, professional, and ethical obligations;

  • maintaining professional records and internal administrative records;

  • establishing, exercising, or defending legal claims;

  • protecting our rights, interests, property, security, and reputation;

  • maintaining the security and functionality of our website, IT systems, communications, and premises;

  • detecting, preventing, and responding to fraud, cyber incidents, misuse, or unlawful activity;

  • administering and improving our website;

  • analysing website traffic and usage where permitted;

  • sending newsletters, legal updates, event invitations, or similar communications where you have consented or where otherwise permitted by applicable law;

  • managing subscriptions, unsubscribe requests, and communication preferences;

  • using artificial intelligence tools, where appropriate and lawful, to support our legal services and internal administrative processes; and

  • complying with court orders, regulatory requests, professional rules, or other lawful requests.

7. Legal Bases for Processing

We process personal data only where we have a lawful basis to do so.

Depending on the circumstances, we may rely on one or more of the following legal bases:

  • performance of a contract or steps prior to entering into a contract;

  • compliance with legal obligations to which we are subject;

  • our legitimate interests, provided those interests are not overridden by your rights and freedoms;

  • your consent, where required;

  • the establishment, exercise, or defence of legal claims; and

  • another lawful basis permitted by GDPR or applicable law.

In particular, we rely on the following legal bases for the following processing activities:

  • responding to legal enquiries: legitimate interests and/or steps prior to entering into a contract;

  • assessing whether we can accept instructions: legitimate interests, legal obligations, and professional obligations;

  • conflict checks: legitimate interests and professional obligations;

  • client onboarding and identity verification: legal obligations, legitimate interests, and/or performance of a contract;

  • providing legal services: performance of a contract, legitimate interests, legal obligations, and/or establishment, exercise, or defence of legal claims;

  • processing special category data: establishment, exercise, or defence of legal claims, substantial public interest where applicable, explicit consent where required, and/or another lawful basis permitted by law;

  • processing criminal offence data: where authorised or permitted by applicable law and necessary for legal advice, legal proceedings, compliance, or legal claims;

  • billing, accounting, and tax records: performance of a contract and compliance with legal obligations;

  • legal claims and dispute management: legitimate interests and establishment, exercise, or defence of legal claims;

  • website operation and security: legitimate interests in operating a secure and functional website;

  • non-essential cookies, analytics cookies, tracking technologies, and similar tools: consent, where required by applicable law;

  • newsletters and legal updates: consent or another lawful basis where permitted by applicable law;

  • use of AI tools to support legal services and internal processes: legitimate interests, performance of a contract, compliance with legal obligations, establishment, exercise or defence of legal claims, and/or another lawful basis depending on the context; and

  • compliance with court, regulatory, professional, or legal obligations: compliance with legal obligations and/or establishment, exercise, or defence of legal claims.

Where we rely on legitimate interests, these may include operating and managing our legal practice, responding to enquiries, protecting our systems and communications, maintaining professional records, managing risks, preventing fraud, improving our website, improving the efficiency and quality of our services, and protecting our legal rights and professional position.

8. Cookies and Similar Technologies

Our website may use cookies and similar technologies.

Cookies are small text files placed on your device when you visit a website. Similar technologies may include pixels, tags, scripts, local storage, or other tools that store or access information on your device.

We may use the following categories of cookies and similar technologies:

  • strictly necessary cookies, which are required for the website to function properly;

  • functionality cookies, which help remember preferences or settings;

  • performance and analytics cookies, which help us understand how visitors use the website;

  • security cookies, which help protect the website and users;

  • marketing or third-party cookies, where used and where permitted.

Strictly necessary cookies may be used without consent where they are required to provide the website or a service you request.

Non-essential cookies and similar technologies, including analytics, advertising, social media, tracking pixels, and similar tools, will be used only where valid consent has been obtained, where required by applicable law. The Hellenic Data Protection Authority (HDPA)’s own cookie information distinguishes necessary cookies from optional cookies and states that optional cookies are used only with consent.

You may manage cookie preferences through our cookie consent tool, where available, and through your browser settings.

Detailed information about the cookies and similar technologies used on our website, including their provider, purpose, category, duration, and whether consent is required, is provided in our Cookie Policy.

9. Newsletters, Legal Updates, and Marketing Communications

Where you subscribe to receive newsletters, legal updates, event invitations, or similar communications, we may use your contact details to send such communications.

We will send electronic marketing communications only where you have consented or where otherwise permitted under applicable data protection and electronic communications law.

You may unsubscribe or object to receiving such communications at any time by using the unsubscribe link included in the relevant communication or by contacting us at contact@agapitosgeorgiou.com.

We may retain limited information after you unsubscribe to ensure that your preference is respected.

10. Use of Artificial Intelligence (AI) Tools

We may, from time to time, use artificial intelligence (“AI”) tools, software, or services to assist with the delivery, efficiency, quality, administration, organisation, review, analysis, or management of legal services and internal business operations.

The use of such technologies may involve the processing of personal data.

Where we use third-party AI service providers, we take reasonable steps to ensure that such providers are subject to appropriate confidentiality, security, contractual, and data protection obligations and that the use of such services complies with applicable data protection laws and, where applicable, laws relating to artificial intelligence and automated systems.

We implement appropriate technical and organisational safeguards designed to protect personal data processed through such tools.

Where AI tools are provided by third-party service providers, we seek, where reasonably possible and appropriate, to use services that provide contractual, technical, or organisational safeguards designed to prevent client or matter-related data from being used to train publicly accessible or general-purpose AI models without appropriate authorisation.

AI technologies are used solely to support and enhance our professional services and internal processes. They do not replace the professional judgment, expertise, supervision, or responsibility of our lawyers and legal professionals.

Any legal advice, analysis, work product, strategic decisions, or professional conclusions provided by the Firm remain subject to human review, oversight, and responsibility by appropriately qualified legal professionals.

11. Disclosure of Personal Data

We do not sell or rent personal data.

We may disclose personal data where necessary and lawful to:

  • courts, tribunals, arbitral institutions, mediators, regulators, public authorities, law enforcement bodies, and governmental authorities;

  • counterparties, opposing counsel, parties to proceedings, transaction participants, and other persons involved in a legal matter;

  • clients, where the data is relevant to the legal services we provide;

  • experts, consultants, translators, investigators, notaries, bailiffs, accountants, auditors, tax advisers, and other professional advisers;

  • IT providers, cloud service providers, hosting providers, cybersecurity providers, email and communication providers, document management providers, AI service providers, and other technology service providers;

  • payment service providers, banks, accounting service providers, and billing providers;

  • professional indemnity insurers, insurance brokers, auditors, and risk management advisers;

  • Bar Associations, professional bodies, or regulatory bodies where required;

  • third parties involved in a business reorganisation, merger, transfer, or restructuring of our practice, where applicable; and

  • other third parties where disclosure is required by law, necessary for the provision of legal services, necessary for legal claims, or otherwise permitted by applicable law.

Where service providers process personal data on our behalf, we require them to process such data only in accordance with our instructions and to apply appropriate confidentiality, security, and data protection measures.

Some disclosures may be subject to legal professional privilege, professional secrecy, confidentiality obligations, court rules, or other legal restrictions.

12. International Transfers

Some of our service providers, counterparties, professional advisers, or other recipients may be located outside the European Economic Area (“EEA”), or may process personal data outside the EEA.

Where personal data is transferred outside the EEA, we will ensure that an appropriate transfer mechanism is in place in accordance with GDPR. This may include:

  • an adequacy decision issued by the European Commission;

  • standard contractual clauses approved by the European Commission;

  • binding corporate rules, where applicable;

  • derogations permitted under GDPR, including where a transfer is necessary for the establishment, exercise, or defence of legal claims; and

  • another safeguard or mechanism permitted by applicable law.

You may contact us for further information about the safeguards applicable to relevant international transfers.

13. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected or otherwise processed, including for the provision of legal services, compliance with legal, regulatory, tax, accounting, anti-money laundering, professional, and record-keeping obligations, dispute resolution, enforcement purposes, and the establishment, exercise, or defence of legal claims.

To determine the appropriate retention period for personal data, we consider:

  • the amount, nature, and sensitivity of the personal data;

  • the potential risk of harm arising from unauthorised use or disclosure;

  • the purposes for which we process the personal data and whether those purposes can be achieved through other means;

  • applicable legal, regulatory, tax, accounting, professional, and limitation requirements;

  • the nature and duration of the relevant legal matter or professional relationship;

  • our professional obligations and legitimate interests.

As a general guide:

  • website contact enquiries where no client relationship is formed may be retained for up to twenty-four (24) months after the last communication, unless a longer period is necessary for legal, professional, conflict-check, or dispute-related reasons;

  • client matter files may be retained for the duration of the matter and for ten (10) years after the matter is closed, unless a longer or shorter period is required or permitted by law, professional rules, limitation periods, legal claims, client instructions, insurance requirements, or operational requirements;

  • conflict-check and client-identification records may be retained for as long as necessary to identify and manage professional conflicts, comply with legal obligations, and protect our legal and professional position;

  • billing, accounting, tax, anti-money laundering, payment, and compliance records may be retained for the periods required under applicable law;

  • newsletter subscription data may be retained until you unsubscribe or object, and limited suppression records may be retained thereafter to ensure that your preference is respected;

  • website logs, security records, and diagnostic data may be retained for a limited period necessary for security, fraud prevention, diagnostics, and operational purposes;

  • cookie data is retained according to the duration of each cookie, as described in our Cookie Policy or cookie settings tool.

When personal data is no longer required, we will securely delete, anonymise, or otherwise dispose of it in accordance with applicable law and our internal retention procedures.

If you would like further information regarding the retention periods applicable to your personal data, you may contact us at contact@agapitosgeorgiou.com.

14. Data Security

We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

These measures may include access controls, confidentiality obligations, secure communication tools, technical safeguards, document management procedures, IT security measures, staff awareness, and service-provider controls.

However, no method of transmission over the internet or method of electronic storage is completely secure. While we take reasonable steps to protect personal data, we cannot guarantee absolute security.

In the event of a personal data breach, we will take such steps as are required under applicable law, including, where applicable, notifying the competent supervisory authority and affected individuals within the timeframes prescribed by GDPR.

15. Your Rights

Subject to applicable law, you may have the following rights in relation to your personal data.

  • Right to Be Informed

You have the right to be informed about how your personal data is collected, used, stored, shared, and otherwise processed. This Privacy Policy is intended to provide that information in a concise, transparent, intelligible, and accessible form.

  • Right of Access

You have the right to request confirmation as to whether we process your personal data and, where that is the case, to request access to the personal data and related information regarding our processing activities.

  • Right to Rectification

You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data.

  • Right to Erasure

You have the right to request the deletion of your personal data in certain circumstances, including where: (a) the personal data is no longer necessary for the purposes for which it was collected or processed; (b) you withdraw consent where processing is based on consent and no other lawful basis applies; (c) the personal data has been unlawfully processed; (d) deletion is required to comply with a legal obligation.

  • Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest its accuracy or object to processing.

  • Right to Object

You have the right to object to the processing of your personal data where processing is based on legitimate interests.

You also have the right to object at any time to the use of your personal data for direct marketing purposes, including related profiling activities.

  • Right to Data Portability

Where applicable, you have the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format and to request transmission of such data to another controller where technically feasible.

  • Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw your consent at any time.

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal and does not affect processing carried out on another lawful basis.

  • Rights Relating to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, where such decision produces legal effects concerning you or similarly significantly affects you.

  • Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority if you believe that our processing of your personal data infringes applicable data protection law.

In Greece, the competent supervisory authority is:

Hellenic Data Protection Authority
Kifissias 1-3
115 23 Athens
Greece
Telephone: +30 210 6475600
Email: contact@dpa.gr

You may also lodge a complaint with another competent supervisory authority where applicable.

  • Exercising Your Rights

You may exercise your rights or submit privacy-related requests by contacting us at:

contact@agapitosgeorgiou.com

Please provide a clear description of your request, and sufficient information to allow us to identify the relevant data and verify your identity where necessary.

We may request additional information or documentation to confirm your identity where proportionate and necessary to protect personal data and comply with our legal obligations.

We may also request clarification where necessary to properly understand or respond to your request.

You will not usually have to pay a fee to exercise your rights. However, we may charge a reasonable fee or refuse to act on a request where permitted by applicable law, including where a request is manifestly unfounded, excessive, or repetitive.

We aim to respond to legitimate requests within one month or within any other applicable legal deadline. Where permitted by law, we may extend this period where requests are particularly complex or numerous, in which case we will notify you accordingly.

Your rights may be subject to restrictions or limitations where necessary to protect legal professional privilege, professional secrecy, confidentiality obligations, legal claims, court proceedings, regulatory obligations, the rights of others, or other protected legal interests.

16. Provision of Personal Data

Where we request personal data, we will indicate where the provision of such data is required by law, required under a contract, or necessary for us to respond to an enquiry, assess whether we can act, or provide legal services.

If you do not provide information that is necessary for these purposes, we may be unable to respond to your enquiry, accept instructions, complete onboarding or compliance checks, provide legal services, or continue acting.

The provision of personal data for newsletters, legal updates, and non-essential cookies is voluntary.

17. Automated Decision-Making

We do not use personal data for decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you.

For the avoidance of doubt, our use of AI tools, where applicable, is subject to human review and oversight and does not constitute solely automated decision-making producing legal or similarly significant effects.

18. Legal Professional Privilege, Professional Secrecy, and Confidentiality

As a law firm, we are subject to professional secrecy, confidentiality obligations, and legal professional privilege under applicable laws, professional rules, and ethical obligations.

Certain rights, disclosures, notices, or obligations under data protection law may therefore be subject to legal or professional restrictions where applicable.

Nothing in this Privacy Policy is intended to waive legal professional privilege, professional secrecy, confidentiality, or any protection available under applicable law.

19. Third-Party Websites and External Links

Our website may contain links to third-party websites, external platforms, embedded content, files, services, or resources.

The inclusion of any link does not constitute or imply any endorsement, approval, authorisation, affiliation, or representation by us in relation to the relevant third party or its services.

We do not control and are not responsible for the content, security, privacy practices, policies, or operation of third-party websites or services.

Third-party websites and services may place their own cookies or similar technologies on your device, collect data from you, or process your personal data independently.

We encourage you to review the privacy policies, cookie policies, and terms of use of any third-party websites or services that you access.

20. Children’s Privacy

Our website is not directed to children, and we do not knowingly collect personal data from children through the website.

However, in the course of providing legal services, we may process personal data relating to minors where necessary and lawful in connection with a legal matter, legal obligation, regulatory obligation, professional obligation, or the establishment, exercise, or defence of legal claims.

If we become aware that personal data relating to a child has been collected through the website without appropriate authorisation where required, we will take reasonable steps to delete such information.

21. Contacting Us Through the Website

You may contact us through the website or by email.

Please note that contacting us through the website or by email does not by itself create a lawyer-client relationship. A lawyer-client relationship is created only when we have agreed to act for you and any applicable onboarding, conflict-check, and engagement requirements have been completed.

You should not send confidential, sensitive, or time-critical information through the website unless we have agreed to act for you or have requested that information.

22. Changes to This Privacy Policy

We may amend or update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, regulatory requirements, technology, or website functionality.

Any updated version will be posted on this page with a revised “Last updated” date.

23. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of personal data, please contact:

Agapitos, Georgiou & Partners Law Firm
41, Solonos Street
Athens, 106 72
Attiki, Greece
Email: contact@agapitosgeorgiou.com