Updated December 2018
1 In which cases will we have to register personal information about private individuals
- • Private individual clients
- • Persons registered as contact persons for businesses that are our clients
- • Private persons registered as contact persons of vendors and business partners
- • Private individuals that are involved in cases that we are engaged to advise in
- • Persons mentioned or referred to in case documents we are given access to in connection with our legal advice
- • Visitors on our home page
2 Purpose, type of information and legal basis
Please find below our description of the purposes for registering personal data, what kind of personal data that we register and the legal basis for the registration.
New clients/new engagements
When we are contacted by a new client regarding a new engagement, we must do an internal conflict of interest check before we can confirm whether we can accept the engagement. The conflict of interest check serves a legitimate purpose and has a legal basis in the GDPR Article 6, number 1, litra f. A conflict check of private individuals includes as a general the full name, what the engagement regards to and, if relevant, creditworthiness. Conflict check regarding business clients will as a general rule not include registration of personal information.
Further, for the establishment of a new client/a new engagement we must fulfill the requirements in the Norwegian Anti Money Laundering act. For customers that we do not already know the identity of, we are obligated to make sure that the identity of the new client is documented through an ID issued by public authority, cf. the Norwegian Anti Money Laundering Act, cf. the GDPR article 6 nr.1 litra c
If we, after the controls as described above, can undertake the engagement, the contact information will be registered. The registration of the contact information is required in order to enter into an agreement with private individuals, cf. the GDPR article 6, 1 litra b. For companies/legal entities the registration of contact information is based on a weighting of different interests, cf. GDPR article 6 nr 1 litra f.
Personal data relating to individual cases
Some legal assignments entail that we are granted access to personal data about the parties to the case or other individuals that are affected. Such information may arise from documents that the client sends to us or other correspondence. The handling of personal information in connection with engagements for business clients has a legal basis in GDPR article 6 number 1 litra f (weighting of different interests). In some cases we are also granted access to sensitive personal data, such as for example information about a persons health, convictions and offences. In such cases the treatment of the personal data has a legal basis in GDPR article 9 nr. 2 litra f (the registration is necessary in order to determine, enforce or defend a legal claim), cf the Norwegian Personal Data Act (2018) §11.
Separate folders are created for all clients in our file system, and separate sub-folders are, as a general rule, created for all engagements for the client. Time spent on each engagement and cost incurred on each engagement are registered in our ERP system. As regards to business clients, the legal basis for our actions regarding the client administration is GDPR article 6 nr. 1 litra f (weighting of different interests) and for private individual clients, our actions regarding the client administration is considered as necessary in order to fulfill the agreement with the client, cf. GDPR Article 6 nr. 1 litra b.
Storage and retention of files
We will retain all document files 10 years after the engagement is closed.
The retention of the documentation for this period is considered necessary both for the sake of the client and for our own sake, as both questions or a dispute regarding information stored in the case file may come up later. The legal basis for retaining the documents is GDPR article 6 nr. 1 litra f (weighting of interests) and GDPR article 9 nr. 2 litra f (determine, enforce or defend a legal claim).
Contact information received from business clients may, on the business client´s request, be used for addressing invoices to the correct person in the company. When invoicing private persons the client’s private address is used. The legal basis is GDPR article 6 nr 1 litra f (weighting of interests) for business clients and GDPR article 6 nr. 1 litra b (necessary in order to fulfill the agreement between the two parties).
IT-operations and security
Personal data stored in our IT-systems will be available to us and our IT-suppliers in connection with updating of IT- systems, implementing – or follow up of security measures, correction of errors or other maintenance. The legal basis is GDPR article 6 nr. 1 litra f (weighting of interests) and our commitment to satisfactory information security, cf. GDPR article 32 and 6 nr. 1 litra c.
3 With whom will we share the registered personal data
Attorneys are subject to a sanctioned duty of confidentiality as provided by the Norwegian Criminal Code § 211. All information that is trusted to us in connection with an assignment is treated confidentially.
4 Storing registered personal data
Personal data shall, according to the GDPR not be retained longer than 3 years. However, a right or an obligation to store the data longer than 3 years may follow from other, more specific rules. On the basis that a compensation claim can occur up to 10 years after a case is closed, we will keep all documents including registered personal information, for 10 years.
An obligation to retain the personal data may also follow from other special legislation, such as for example the Norwegian accounting act. To the extent personal data is stored more than 3 years, we will ensure that data are used only for the purpose that implies longer storage obligations.
5 Your rights
You have rights regarding the personal data concerning you. What right you have, depends on the circumstances.
Request for access:
You have the right to understand what personal information we have registered about you, unless our duty of confidentiality precludes this. In order to ensure that personal information is handed over to the right person, we may require that a request for access be made in writing or that the identity otherwise is verified.
Request correction or deletion:
You may ask us to correct incorrect information we have about you or ask us to delete personal information. We will as far as possible, respond to a request to delete personal information, but we cannot do this if there are weighty reasons for not deleting, for example, if we must store the information for documentation purposes.
In some cases, you may be able to obtain the personal information you have provided to us in order to get them transferred in a machine-readable format to another law firm. If technically possible, in some cases it will be possible to have these transferred directly to the other company.
Complaint to the supervisory authority:
If you disagree with the way we process your personal information, you can file a complaint with the Data Inspectorate.
We have established procedures for handling personal information in a safe way. The measures are both technical, and organizational. We make periodic assessments of the safety of all key systems used for handling personal data, and agreements that impose our IT-suppliers to ensure satisfactory information security.
Access to Personal Data (and client / case information) is limited to personnel who need access to these in order to perform their tasks, and we regularly provide staff training with regard to the security and use of IT systems.
7 Changes to the Privacy Statement
We will be able to make minor changes to this privacy statement. You will always find the latest version on our website. In case of significant changes, we will notify you of this.
8 Contact us
If you have questions or comments about our privacy statement or you want to exercise your rights, please contact us:
Tax & Legal Advokatfirma DA, Billingstadsletta 19A, 1396 Billingstad.