This PP is aimed at our processing of personal data about the following persons:
• Private individual clients
• Clients in criminal cases
• Contacts for business clients
• Contacts for our suppliers and partners
• Persons involved in cases we handle
• Other persons mentioned in case documents to which we have access
• Visitors to our website
2 Purpose, types of personal data and legal basis
Below we have provided an overview of the purposes for our processing of personal data, what kind of personal data we register and the legal basis for this.
New clients: When we are contacted by a client regarding a new assignment, we conduct an internal conflict of interest check before we can accept the assignment. The conflict of interest check serves a legitimate purpose and is based on GDPR Article 6 (1) (f) (balancing of interests). The conflict of interest checks of private individuals include full name, what the engagement regards and, if relevant, creditworthiness. In general, the conflict of interest checks regarding business clients will not involve processing of personal data.
Also, we will conduct a check in accordance with the requirements in the Norwegian Money Laundering Act (hvitvaskingsloven), e.g. ID, company certificate, information about beneficial owners, etc. It is necessary to fulfil our legal obligations under the Norwegian Money Laundering Act, cf. GDPR Article 6 (1) (c).
If we can accept the assignment, contact information will be registered, such as name, address, e-mail and telephone number. This is necessary to enter into an agreement with the persons concerned, cf. GDPR Article 6 (1) (b) (re. private individuals) and GDPR Article 6 (1) (f) (re. business clients based on balancing of different interests). A company certificate will be obtained, together with possibly other information, e.g. from Brreg.no.
Case management: Some assignments entail that we get personal data about individuals involved. Such information may appear in documents the client sends to us or other correspondence. The legal basis for processing of personal data in connection with assignments for business clients is GDPR Article 6 (1) (f) (balancing of interests). In some cases, we also get access to sensitive personal data, e.g. health information or criminal convictions and offenses. In such cases, the processing of the information is based on GDPR Article 9 (2) (f) (the processing is necessary to determine, enforce or defend a legal claim), cf. the Norwegian Personal Data Act (personopplysningsloven) section 11.
Management of knowledge: Certain assessments, such as memos, letters and applications, can be stored if they are anonymized prior to the storage. The legal basis is our need to utilize knowledge in later assignments, cf. GDPR Article 6 (1) (f) (balancing of interests).
Client Management: Own case files are created for assignments performed on behalf of the client. Time and costs incurred on a case are recorded in our accounting system. For business clients, what we do in connection with client management is based on GDPR Article 6 (1) (f) (balancing of interests). For private individual clients it is considered a necessary part of fulfilling the agreement, cf. GDPR Article 6 (1) (b).
Storage and retention of case documents: We keep documents for up to 13 years after the end of the year the assignment is completed / is about. This is considered necessary for the benefit of the client and us, as questions or disputes may arise where the information stored may become relevant. The legal basis for the processing of personal data is GDPR Article 6 (1) (f) (balancing of interests, cf. the legitimate interest stated above) and GDPR Article 9 (2) (f) (determine, enforce or defend a legal claim), cf. the Norwegian Personal Data Act (personopplysningsloven) § 11.
Invoicing: Contact information received from business clients is used to address invoices, if requested by the client. For private individual clients, the person’s private mailing address or e-mail is used for sending out invoices. The basis for processing is GDPR Article 6 (1) (f) (balancing of interests) for business clients and GDPR Article 6 (1) (b) (necessary to fulfil the agreement) for private individual clients.
IT Operations and Security: Personal data stored in our IT systems may be available to us or to our suppliers in connection with system updates, implementation or follow-up of security measures, bug fixes or other maintenance. The legal basis is GDPR Article 6 (1) f (balancing of interests, cf. our legitimate interest to conduct these activities) and our legal obligation to have satisfactory information security, cf. GDPR Articles 32 and 6 (1) (c).
Marketing: We do not send newsletters. If initiated later, it will be sent to e-mail addresses registered on clients to whom we are continuously providing legal services and others who have requested to receive our newsletter. Recipients of the newsletter can unsubscribe from the service by e-mailing our CEO. The legal basis is GDPR Article 6 (1) f (balancing of interest) where we have received the e-mail address in connection with an assignment. If an existing client relationship exists, the marketing will take place in accordance with section 15 (3) of the Norwegian Marketing Act (markedsføringsloven). In other cases, marketing is based on the consent of the person concerned, cf. section 15 (1) of the Norwegian Marketing Act (markedsføringsloven) and GDPR Article 6 (1) a.
3 Sharing personal data
Our IT service providers may have access to personal data if personal data is stored with the supplier or is otherwise available to the supplier in accordance with the contract with us. The suppliers act in accordance with a data processor agreement and under our instructions. The supplier can only use the personal data for the purposes we have decided and described.
We do not use suppliers located in countries outside the EU and the EEA. If we want to use suppliers located in countries outside the EU and the EEA, the transfer of personal data to these suppliers will use the EU’s standard transfer agreements (read more here: https://ec.europa.eu/info/law/law-topic/ data-protection / data-transfers-outside-eu / model-contracts-transfer-personal-data-third-countries_en) and/or the EU-US Privacy Shield framework (read more here: https://ec.europa.eu / info / law / law-topic / data protection / data transfers-outside-eu / eu-us-privacy-shield_en).
Attorneys are subject to a penalty-sanctioned duty of confidentiality that follows from section 211 of the Norwegian Criminal Code (straffeloven). All information that is entrusted to us in connection with an assignment is handled confidential.
We do not disclose personal data in other cases or in any way other than those described in this PP, unless the client explicitly encourages or consents to this or the disclosure is required by law.
4 Storing of personal data
In general, we cannot specify how long personal data is stored. Personal data in case documents will be deleted at the same time as the case documents. If possible, the deletion will occur earlier. For information regarding storing of case documents, see above.
We are required to store certain accounting documents for a specified period of time according to law. When a specific purpose requires storage for a given period of time, we ensure that personal data is used solely for that purpose for that period.
5 Your rights
You have certain rights regarding the personal data concerning you, depending on the circumstances.
Withdraw consent: You may withdraw a consent to receive newsletters at any time by sending an e-mail to the CEO. You may also withdraw consent regarding other processing of personal data at any time, by contacting us.
Request access: You have the right to see personal data we have registered about you, if our duty of confidentiality does not prevent this. To ensure that personal data is disclosed to the right person, we may require that the request is made in writing or that the identity is verified in some other way.
Request correction or deletion: You can ask us to correct incorrect information we have about you or ask us to delete personal data. We will, as far as possible, respond to a request to delete personal data, but we cannot do so if there are compelling reasons not to delete, e.g. that we must store the information for documentation purposes.
Data portability: In some cases, you may be given the opportunity to have personal data transmitted in a machine-readable format to another law firm. If technically possible, also directly to the other law firm.
Complaints to the supervisory authority: If you disagree with the way we process your personal data, you can submit a complaint to the Norwegian Data Protection Authority (Datatilsynet).
We have established procedures to handle personal data securely. The measures are both technical and organizational. We conduct regular assessments of the security of all central systems used for the processing of personal data, and agreements have been entered into that require suppliers of such systems to provide adequate information security.
Access to personal data (and client and case information) is limited to personnel who need access to perform their tasks.
We have adopted internal IT policies, and we regularly train employees on the security and use of IT systems.
7 Changes to the PP
We can change this PP. You will always find the latest version on our website. In the event of significant changes, we will notify persons affected by this, within reasonable limits.
8 Contact us
We do not have a Data Protection Officer as our main activity does not consist of processing personal data in a manner that involves large-scale, regular and systematic monitoring of persons, or special categories of personal data or personal data related to criminal convictions and criminal matters on a large scale, cf. GDPR Article 37.
If you have any questions or comments about our PP or wish to exercise your rights, please contact: Nitschke Advokater AS, att.: Geir Sevre, P.O. Box 353, N-1326 Lysaker, Norway, or tel.: +47 4545 5252.
In case of conflict between the Norwegian and English version of our PP, the Norwegian version shall prevail.
Last modified: 19 August 2019, version 1.