M L

Privacy Policy

Our commitment

Mendes, Duarte Rocha & Associados, Sociedade de Advogados, Lda (hereinafter “MDR”) is firmly committed to privacy and the rights of data subjects, acting in accordance with the provisions of applicable legislation.

Privacy policy

This Privacy policy provides you with information regarding the collection and processing of your personal data.

The “data controller” is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data. Unless otherwise notified, MDR acts as the data controller for your personal data.

Data subjects are the natural persons to whom the data relates. We want you to be aware of how MDR processes your personal data, as well as the rights you enjoy as a data subject.

With this Policy, we aim to answer the following questions:

  1. What personal data does MDR process, to whom does it relate, and how is it collected?
  2. For what purposes and on what legal basis does MDR process personal data?
  3. How long do we retain personal data?
  4. To whom does MDR disclose personal data?
  5. Is personal data secure?
  6. What rights do you have as a data subject?
  7. How can you exercise your rights?
  8. How can you contact us?
  9. How can you keep up to date with the processing of personal data?

1. What personal data does MDR process, who does it relate to, and how is it collected?

Personal data means any information of any nature and regardless of its medium, including sound and images, relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to a combination of specific elements relating to their physical, physiological, mental, economic, cultural or social identity. Consequently, this does not include personal data from which the identity has been removed (anonymous data).

The categories of sensitive personal data include information revealing: ancestry, sex, race, ethnic origin; political opinions, religious or philosophical beliefs; membership of a political or trade union organisation; medical information, private life, genetic information or information concerning health; biometric data that uniquely identifies a person; data relating to criminal convictions and offences.

In specific and limited circumstances, MDR collects categories of sensitive personal data, namely when such information is provided to us in the course of providing our services. The processing of sensitive data only takes place when strictly necessary and on an appropriate legal basis, in accordance with Mozambican law.

MDR may process the following categories of personal data:

a) Identification and contact details (e.g., name, date of birth, gender, address, contact details, ID card details, passport details, tax reference number, nationality);

b) Data relating to education and professional experience (e.g., education, qualifications, certifications, languages, CV, information from previous employer);

c) Professional data (e.g., position, role, job description, company, office address);

d) Data relating to professional activity (e.g., business activities, information relating to cases and files, information relating to proceedings);

e) Billing data (e.g., account number and payment card details, fees, travel and communication expenses on behalf of the client);

f) Expense and travel data (e.g., dietary requirements, travel booking details, expenses, travel references and vouchers);

g) Image and sound recording data (e.g., photographs and video footage);

h) Browsing data (e.g. cookies).

The categories of personal data listed above may relate to different categories of data subjects, such as clients, clients’ employees (companies), counterparties, applicants or MDR alumni.

Collection of personal data

MDR collects personal data through various means and at various times.

Direct collection of personal data: personal data is provided directly by data subjects through direct interactions with MDR. When personal data is collected directly from the data subject, information regarding the purpose of processing, the identity of the data controller and other information required by law is provided at the time of collection. Such direct interactions include, in particular:

  • contact via email and telephone and responses to invitations;
  • submission of your personal card;
  • subscription to our newsletters or events;
  • job applications;
  • contracting services.

Indirect collection of personal data: in some cases, MDR may collect personal data indirectly, in particular from public sources or clients. Without prejudice to any restrictions arising from professional secrecy, other ethical standards and judicial confidentiality, when MDR processes personal data it has collected indirectly, it will provide all information relating to the processing of such data to the data subjects at the earliest opportunity or, at the latest, within 15 (fifteen) days of collection, unless the information is already known to the data subject.

Where it is necessary to collect personal data due to a legal requirement or under the terms of a contract you have with MDR, and such data is not provided when requested, we may not be able to perform the contract (for example, provide our services). In such situations, MDR may refuse to provide or receive the services, in which case you will be notified, if applicable.

2. For what purposes and on what legal basis does MDR process personal data?

MDR uses personal data for the purposes for which it was collected, as detailed below, unless it reasonably considers it necessary to use the personal data for other purposes and such purposes are compatible with the original purpose.

MDR processes your personal data in strict compliance with the law, where there is a legal basis permitting it. Accordingly, we use your personal data in the following circumstances:

  •  Performance of a contract: where we need to fulfil a contract we have entered into or are about to enter into;
  •  Legitimate interest: where necessary to pursue our interests (or the interests of third parties), provided that your fundamental rights do not override such interests; and, before processing your personal data, we ensure that we assess and balance any potential impact on you and your rights.
  •  Legal obligation: when we need to comply with legal or regulatory obligations to which we are subject.
  • Consent: where you have given us your consent to process your personal data
  •  Exercise of rights: where necessary for the exercise of rights in judicial, administrative or arbitration proceedings.

MDR may process personal data for the following purposes and on the following legal grounds:

a) To provide legal services, which may include:

  • Opening a client file and managing it
  • Recording of service proposals submitted;
  • Communications with the client, other parties and/or public bodies, including courts; and
  • Archiving of documentation in digital and physical formats.

The legal basis, in this case, is the performance of a contract entered into with clients and legitimate interest, specifically:

  • MDR’s interest in processing its clients’ information in a sustainable and efficient manner, ensuring its quality and integrity and enabling the provision of excellent services;
  • MDR’s interest in processing information relating to counterparties, witnesses and other persons who may be involved in transactions, matters and proceedings in which MDR is involved; and
  • The interest of clients represented by MDR in the context of the execution of the mandate and the provision of legal assistance.

b) For communications and the sending of information, including the dissemination of legal information (e.g., newsletters, briefings, legal alerts), in accordance with your preferences.

The legal basis is legitimate interest, specifically:

  • To respond to requests from subscribers to forms on the MDR website and tailor the relevant communications;
  • To contribute to the development of legal scholarship and play a significant role within the legal profession; and
  • To strengthen MDR’s culture and maintain close ties with its alumni.

c) For event management, which includes:

  • Sending out invitations to events and registering participants; and
  • Internal and external promotion of events.

The applicable legal grounds are consent and legitimate interest, specifically (1):

  • Responding to requests from subscribers to forms on the MDR website and tailoring communications accordingly;
  • Contributing to the development of legal science and playing a significant role in the legal profession; and
  • To publicise events promoted by MDR.

d) To protect people and property, which includes the collection of images via CCTV, in accordance with applicable Mozambican legislation.

The legal basis is legitimate interest, specifically:

  • To ensure the protection of persons on MDR’s premises;
  • To detect and prevent security incidents;
  • To detect and prevent unauthorised access to MDR’s premises and restricted areas;
  • Reviewing security incidents, including security training exercises.

e) To comply with legal obligations regarding compliance.

  • The legal basis is compliance with a legal obligation.

f) For invoicing and accounting management, which includes:

  • Accounting for expenses, cost control and reimbursements (e.g., travel and mobile phone expenses to be borne by customers);
  • Invoicing and current account management; and
  • Maintenance of accounting records and supporting documentation.

The legal basis is the performance of a contract; compliance with a legal obligation and legitimate interest, specifically:

  • Maintaining efficient management control, invoicing services provided in a timely manner and ensuring compliance with applicable legal obligations.

g) For the submission of cases to legal directories, in accordance with the applicable ethical standards.

The legal basis is legitimate interest, specifically:

  • To promote the culture and excellence of MDR and its lawyers.

h) For debt collection and judicial and extrajudicial claims, which includes the collection and recovery of amounts owed by clients.

The legal basis is legitimate interest, specifically:

  •  To satisfy its claims and defend its rights.

i) For recruitment and selection, which includes the review of applications and CVs, as well as the internal selection process for lawyers and staff in accordance with identified needs.

The legal basis is pre-contractual processing at the request of the data subject and legitimate interest, specifically:

  • To review applications and subject candidates to an internal selection process, in accordance with pre-defined criteria.

j) For statistical purposes, which includes the analysis of personal data contained in proposals, with the results of this processing corresponding to aggregated data. This data will be anonymised or pseudonymised, making it impossible to re-identify the data subjects once the statistical operation has been completed.

k) To optimise the browsing experience, which includes the collection of browsing information via cookies.

The legal basis is consent.

3. How long do we retain personal data?

MDR will only retain your data for as long as is necessary to fulfil the purposes set out in this Policy or for as long as required by applicable legal or regulatory standards.

The retention periods for personal data, according to each processing purpose, are as follows:

Purpose of processing > Retention period

  • Provision of legal services > Duration of the client-solicitor relationship, plus 20 years, based on limitation periods applicable to certain civil, commercial and criminal liabilities, as well as on the need to safeguard the legitimate interests of MDR and its clients in the event of any litigation, audits or administrative proceedings. This extended period will be reviewed periodically and personal data will cease to be processed for operational purposes once the mandatory minimum legal time limits have been met, and will, wherever possible, be anonymised or pseudonymised.
  • Communications and sending of information > Until the data subject objects.
  • Event management > 2 years from the date of contact or participation in an event (as applicable), provided there is no further contact or participation in another event by the data subject.
  • Protection of persons and property > 30 days.
  • Compliance with legal obligations > 10 years, from the time the customer was identified or, in the case of business relationships, from the termination of such relationships.
  • Invoicing and accounting management > 10 years.
  • Submission of cases to legal directories > For the duration of the case or file.
  • Debt collection and judicial and extrajudicial claims > Until the outstanding amounts are paid or the dispute is resolved, as applicable.
  • Recruitment and selection > 2 years from the date of submission of the application or CV, if the candidate is not selected;
  • Response to contact requests > Until the request has been dealt with.
  • For statistical purposes > For as long as deemed necessary, with appropriate technical and organisational measures in place to safeguard the rights of data subjects.

To optimise your browsing experience > Up to 2 years and
for the duration of the professional relationship with MDR, in all other cases.

4. To whom does MDR disclose personal data?

MDR does not disclose your personal data to third parties, except where this is necessary for the provision of the services you have contracted or to comply with legal obligations to which MDR is subject.

The transfer of personal data to third parties is carried out in accordance with applicable data protection legislation and within the limits, purposes and legal grounds defined in this Policy.

MDR requires any person or entity to whom it discloses personal data to respect the confidentiality and security of such data and to process it in accordance with applicable laws and regulations. We do not permit such recipients to use personal data for their own purposes and only permit the processing of personal data for specific purposes and in accordance with the instructions we provide.

MDR may share personal data with the following entities:

  • Parties relevant to the legal advice we provide, such as counterparties, courts, law enforcement authorities, regulatory authorities, government institutions or other lawyers;
  • Law firms belonging to the Morais Leitão Legal Circle network or the Lex Mundi network, for purposes relating to the management, coordination and integrated provision of legal services within the scope of MDR’s activities
  • Public authorities and the Bar Association, in the context of compliance with legal obligations;
  • Service providers who provide services to MDR in connection with the purposes described above, such as, for example, providers of Information Technology (IT), communications services, translation services and digital and physical archiving services.

We may be required to disclose your information to comply with legal or regulatory obligations. We will make every reasonable effort to notify you before doing so, unless we are legally prevented from doing so

5. Is personal data secure?

MDR has a very strict security policy, both technically and organisationally, to protect personal data against unauthorised destruction, loss, alteration, disclosure or access, and against any other form of unlawful or abusive processing, including:

  • Pseudonymisation and encryption of personal data;
  • Measures to ensure the confidentiality, integrity, availability and resilience of systems and services;
  • Measures to restore the availability of and access to personal data in a timely manner in the event of security incidents;
  • Additional security measures for access to IT systems.

The technical and organisational security measures established and implemented by MDR are also required of MDR’s service providers who may process personal data on its behalf.

Where a particular type of processing is likely to result in a high risk to the rights and freedoms of data subjects, MDR carries out, prior to commencing processing, an impact assessment of the envisaged processing operations on the protection of personal data.

If you have any questions in this regard, would like further details about our data security, or are aware of any inappropriate situation, please contact us via any of the channels listed in point 9 below.

6. What rights do you have as a data subject?

As a data subject, you have the following rights:

  • Right to information 
    You have the right to be informed, in a clear and accessible manner, of: the identity and address of the data controller; the purposes of the processing; the categories of personal data; with which parties the data is shared; possible consequences of failure to respond; whether or not processing is taking place; the recipients or categories of recipients; any available information regarding the origin of the data.
  • Right of access
    At any time, you may request confirmation as to whether MDR processes your data, access to your personal data and information regarding the processing thereof, including details of the purpose(s) for which your personal data is processed and the recipients or categories of recipients to whom your personal data is disclosed. If you wish, you may request a copy of the personal data currently being processed; however, the provision of further copies may be subject to a reasonable fee, taking into account the applicable administrative costs. If the request is made in electronic format, and unless you specify otherwise, we will provide the information in a commonly used electronic format. Right to rectification and updating.
    If your personal data is incorrect or incomplete, you may request that it be rectified or completed without undue delay. 
  • Right to erasure
    You have the right to request the erasure of your personal data.
    This right may be restricted in certain situations, such as where MDR has a legitimate interest in retaining the data, in particular for the purposes of complying with legal obligations to which MDR is subject, or for the exercise of a right.
  • Right to object
    Where provided for in the applicable data protection legislation, and where the processing of data is based on MDR’s legitimate interest, you have the right to object to the processing of your personal data on compelling and legitimate grounds relating to your particular situation

  • Right to data portability
    You have the right to receive the personal data concerning you that you have provided to MDR in a structured, commonly used and machine-readable format, and the right to transmit that data to another data controller without MDR being able to prevent this. In exercising the right to data portability, you have the right to have your personal data transmitted directly between data controllers, where technically feasible.
  • Right not to be subject to automated individual decision-making
    MDR does not make automated individual decisions, including profiling, which produce legal effects concerning you or similarly significantly affect you.
  • Right to withdraw consent
    Where data processing is based on your consent, you may withdraw your consent at any time. If you withdraw your consent, your personal data will no longer be processed, unless there is another legal basis for such processing.
  • Right to lodge a complaint with the supervisory authority
    You have the right to lodge a complaint with a public authority responsible for supervising and promoting compliance with the rules on the processing of personal data and ensuring the protection of the fundamental rights of data subjects.

MDR draws your attention to the fact that the exercise of the rights set out above may be limited due to the existence of the rights and freedoms of third parties, legal or confidentiality obligations, and the overriding legitimate interests of MDR or a third party.

Where personal data is processed for statistical purposes, the rights of access, rectification/updating and objection are restricted, to the extent necessary, if the exercise of these rights would render the fulfilment of those purposes impossible or seriously impair it.

MDR may request specific information for the exercise of the aforementioned rights, in order to confirm the identity of the data subject. This request is a security measure, designed to ensure that personal data is not shared with persons who do not have the right to access it. MDR may contact the data subject to request information relating to the request made, in order to expedite the response to such a request.

7. How can you exercise your rights?

You may exercise your rights through any of the following channels:

  • Email: to the email address geral@mdradvogados.com or
  • Letter: addressed to Tiago Arouca Mendes, Mendes, Duarte Rocha & Associados, Sociedade de Advogados, Lda, Avenida Marginal, 141, Torres Rani, Torre de Escritórios, 8th floor, Maputo, Mozambique

Exercising your rights is free of charge. However, MDR may charge a reasonable fee or refuse the request if it is manifestly unfounded, repetitive or excessive.

8. How can you contact us?

If you have any questions or require further information regarding the processing of personal data or the rights you enjoy as a data subject, please contact us via the following channels:

  • Email: to the email address geral@mdradvogados.com; or
  • Letter: addressed to Tiago Arouca Mendes, Mendes, Duarte Rocha & Associados, Sociedade de Advogados, Lda, Avenida Marginal, 141, Torres Rani, Torre de Escritórios, 8th floor, Maputo, Mozambique

9. How can you keep up to date with the processing of personal data?

This "Privacy Policy" may be subject to updates, so MDR advises you to consult this Policy regularly.

It is important that your personal data is accurate and up to date. We therefore ask that you keep us informed of any changes to your personal data during your relationship with MDR.

Find out more about the processing of personal data by consulting the "Cookie Policy", which is included in the "Terms and Conditions" on our website.

 

___________________________

(1) The data subject’s prior consent will be sought in cases where the event is recorded, whether in sound or image, or where photographs are taken.

 

Public Document
Last review on 18/02/2026

Please note, your browser is out of date.
 For a good browsing experience we recommend using the latest version of Chrome, Firefox, Safari, Opera or Internet Explorer.