Privacy notice

Last updated: January 6th, 2026

This privacy notice explains how Orestis Kanellos, Attorney-at-Law (“we,” “us,” or “our”) collects, uses, stores, and protects your personal information when you visit our website or engage our legal services.

We are committed to protecting your privacy and handling your personal data in accordance with the General Data Protection Regulation (GDPR) and Greek data protection law (Law 4624/2019).

Who We Are

This website is managed by Orestis Kanellos, Attorney-at-Law, a member of the Athens Bar Association. Our registered office is at 24 Derigny Street, 10434 Athens, Greece. For data protection matters, you can contact us at office@kanelloslegal.com.

We act as a data controller when we determine how and why your personal data is processed.

What Information We Collect

The personal information we collect depends on how you interact with us:

When you visit our website, we may collect technical information including your IP address, browser type and version, operating system, referring website, pages you visit, time and date of your visit, and time spent on pages. This information is collected through cookies and similar technologies (see our Cookie Policy for details).

When you contact us through email, contact forms, or phone, we collect the information you provide, such as your name, email address, phone number, company name (if applicable), and the content of your message or inquiry.

When you subscribe to our newsletter or publications, we collect your name and email address, along with your communication preferences.

When you become a client, we collect more extensive information necessary to provide legal services, which may include your full name, contact details, identification documents, business information, financial information, details about your legal matter, and any other information relevant to your case. The specific information we collect will depend on the nature of your legal matter and will be explained in our engagement letter.

From third parties, in some cases we may receive information about you from other sources such as courts, public registries, opposing parties, co-counsel, experts, or other third parties involved in your legal matter, but only where this is necessary for providing legal services or required by law.

Legal Basis for Processing

We process your personal data only where we have a legal basis to do so under GDPR:

Consent – When you contact us through our website, subscribe to our newsletter, or otherwise voluntarily provide information, we rely on your consent. You can withdraw your consent at any time by contacting us.
Contractual necessity – When you engage our legal services, we process your data to fulfill our contractual obligations under our engagement letter and to take steps at your request before entering into a contract.
Legal obligation – As attorneys, we are required by law and professional rules to process certain data, including for client identification (anti-money laundering requirements), conflict checks, maintaining files for statutory retention periods, and complying with court orders or regulatory requests.
Legitimate interests – We may process data based on our legitimate interests in operating our law practice efficiently, maintaining our website, improving our services, preventing fraud, and protecting our legal rights. We only rely on this basis where our interests are not overridden by your rights and freedoms.
Vital interests – In rare cases, we may process data to protect someone’s life or physical safety.

How We Use Your Information

We use your personal information for the following purposes:
To respond to your inquiries – When you contact us, we use your information to understand your needs and respond appropriately.
To provide legal services – When you are a client, we use your information to provide legal advice, represent you, prepare documents, communicate with third parties on your behalf, and fulfill all obligations under our engagement.
To manage our relationship with you – This includes sending administrative information, managing billing and payments, maintaining our client database, and performing conflict checks.
To comply with legal and professional obligations – We process data to meet our obligations under anti-money laundering laws, tax laws, court orders, regulatory requirements, and the professional rules of the Athens Bar Association.
To send marketing communications – With your consent, we may send newsletters, legal updates, event invitations, or other marketing materials. You can unsubscribe at any time using the link in our emails or by contacting us.
To maintain and improve our website – We analyze website usage to understand how visitors use our site, improve functionality, troubleshoot problems, and enhance user experience.
To protect our rights and interests – We may use data to enforce our terms of use, protect against fraud or security threats, and defend legal claims.

How We Share Your Information

We respect the confidentiality of your information and only share it in the following circumstances:
With your consent – We will share your information with third parties when you have given us permission to do so.
Service providers – We work with trusted third-party service providers who assist us in operating our business, such as IT support providers, cloud storage services, accounting firms, and professional consultants. These providers are contractually obligated to protect your data and use it only for the purposes we specify.
Legal and professional requirements – We may disclose information when required by law, court order, or regulatory authority, or when necessary to comply with professional obligations such as those imposed by the Athens Bar Association or anti-money laundering regulations.
In connection with legal matters – When representing you, we may need to share information with courts, opposing parties, co-counsel, expert witnesses, investigators, or other parties involved in your legal matter.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes

International Transfers

Your personal information is primarily stored and processed within the European Economic Area (EEA). If we need to transfer data outside the EEA (for example, when using certain cloud services), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or adequacy decisions. You can request information about specific transfers by contacting us.

How Long We Keep Your Information

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal and professional obligations.

Website visitor data is typically retained for no longer than necessary for analytics purposes, usually not more than 24 months.
Inquiry data from non-clients is retained for up to 24 months after your last contact with us, unless you request earlier deletion.
Newsletter subscribers – Your data is retained until you unsubscribe or we cease sending newsletters.
Client data is retained in accordance with our professional obligations under Greek law and the Athens Bar Association rules. Generally, this means we retain client files for at least five years after the conclusion of a matter, and in many cases longer depending on the nature of the work, limitation periods for potential claims, and specific legal requirements. Some documents may need to be retained indefinitely.

After the retention period expires, we securely delete or anonymize your personal information. However, we may retain certain information for longer if required by law, to establish or defend legal claims, or with your consent.

Your Rights

Under GDPR and Greek data protection law, you have the following rights regarding your personal information:

Right of access – You can request a copy of the personal data we hold about you, along with information about how we use it.
Right to rectification – You can ask us to correct inaccurate or incomplete personal data.
Right to erasure – You can request that we delete your personal data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent.
Right to restrict processing – You can ask us to temporarily stop processing your data in certain situations, such as when you contest the accuracy of the data or object to processing.
Right to data portability – You can request that we provide your data in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.
Right to object – You can object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent – Where we rely on consent, you can withdraw it at any time, though this won’t affect the lawfulness of processing before withdrawal.
Right to lodge a complaint – You have the right to lodge a complaint with a supervisory authority. In Greece, this is the Hellenic Data Protection Authority (www.dpa.gr).

Important limitations: These rights are not absolute and may be limited in certain circumstances, particularly where we are processing data to comply with legal obligations or professional duties. For example, as attorneys we may need to retain client files for specific periods regardless of deletion requests.

To exercise any of these rights, please contact us at privacy@kanelloslegal.com.

Security

We take the security of your personal information seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction.

These measures include secure servers, encryption of data in transit and at rest (where appropriate), access controls limiting who can view your data, regular security assessments, staff training on data protection, and secure backup procedures.

However, please note that no method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.

If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.

Children’s Privacy

Our website and services are not directed at children under the age of 16, and we do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately so we can delete it.

Automated Decision-Making

We do not use automated decision-making or profiling that would have legal or similarly significant effects on you.

Changes to This Privacy Notice

We may update this privacy notice from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make significant changes, we will post the updated notice on our website with a new “last updated” date. We encourage you to review this notice periodically.

If we make material changes that significantly affect your rights, we will notify you by email (if we have your email address) or by prominent notice on our website before the changes take effect.

Third-Party Websites

Our website may contain links to external websites operated by third parties. This privacy notice applies only to our website and services. We are not responsible for the privacy practices of third-party websites, and we encourage you to read their privacy policies before providing any personal information.

Contact Us

If you have any questions about this privacy notice, how we handle your personal data, or wish to exercise any of your rights, please contact us:
Email: privacy@kanelloslegal.com
Post: Orestis Kanellos, Attorney-at-Law, 24 Derigny Street, 10434 Athens, Greece
Phone: +30 210 8054601

For data protection matters specifically, you may also contact our data protection contact at the same address.
If you are not satisfied with our response to any privacy concern, you have the right to lodge a complaint with the Hellenic Data Protection Authority:

Hellenic Data Protection Authority

Kifisias Ave. 1-3, 11523 Athens, Greece
Tel: +30 210 6475600
Website: www.dpa.gr