At Svensson Nøkleby Advokatfirma ANS ("we" or "us"), we are concerned about the privacy and security of your personal information. This means, among other things, strict internal routines, thorough training of employees and a high level of safety.
This privacy statement provides you with information about how we collect and process personal information.
We process personal information about the following categories of people:
- Private customers
- Contact persons for business customers
- People who are involved or mentioned in cases we assist in
- Contact persons at our suppliers and partners
- Users of our websites
- Job seekers
Svensson Nøkleby Advokatfirma ANS by the general manager is responsible for processing. Feel free to contact us if you have questions or need further information about our processing of personal data.
Svensson Nøkleby Advokatfirma ANS
v / Terje Gundersen
PO Box 294 Bragernes
2. MORE ABOUT OUR PROCESSING OF PERSONAL INFORMATION
Below we have provided an overview of the purposes for which we process personal data, the types of personal data we process, and the legal basis for the processing.
2.1 Establishment of customer relationships
Before we can establish a customer relationship, we always carry out a conflict check to clarify any conflicts of interest. Carrying out conflict checks serves a legitimate purpose and is based on Article 6 (1) (f) of the GDPR (balancing of interests). Conflict checks of private customers usually include their full name, what the case is about and, if relevant, creditworthiness. Normally, conflict checks on behalf of business customers will not involve the processing of personal data.
When we establish a new customer relationship, and in the ongoing follow-up of existing customer relationships, we will carry out a customer inspection in accordance with the rules in the Money Laundering Act. The information we process to fulfill the reporting obligation and other requirements of the Money Laundering Act for lawyers, has a legal basis in GDPR article 6 (1) (c), that the processing is necessary to fulfill a legal obligation. The legal obligation is stated in the Money Laundering Act § 4 second paragraph no. 3.
2.2 Lawyer assignment
We process personal data to the extent necessary to carry out the individual legal assignment (case management). Separate case files are created for assignments performed on behalf of the customer. The case files are mainly stored in our electronic case processing system, in some cases also in physical case files.
We typically collect personal information from the customer through meetings, telephone conversations and e-mail correspondence, from publicly available sources as well as from persons who may have information that is relevant to the case.
The processing of personal data about private clients has a legal basis in the agreement to perform the legal assignment, cf. GDPR article 6 no. 1 (b). This applies to both contact information (name, contact information, ID check) and information that appears from documents customers send, or other correspondence in the case.
The processing of personal data about persons associated with our business customers, as contact persons, has a legal basis in GDPR article 6 no. 1 (f) (balancing of interests).
Some legal assignments mean that we gain access to personal information about others than our client, such as the other party or others who are involved in a case, or who are mentioned in the case documents we have access to. The processing of such personal data is anchored in GDPR art. 6 No. 1 (f) (balancing of interests). The processing of personal data about others than our client is necessary in order to be able to perform legal assignments in a responsible and good manner. Lawyers are bound by a statutory duty of confidentiality. The duty of confidentiality means that we will only pass on the information if it is necessary to carry out the legal assignment.
In some cases we also get access to sensitive personal information, e.g. health information or criminal convictions and offenses. We will normally only process sensitive personal data about others than our customer if this is necessary to establish, assert or defend a legal claim, cf. GDPR article 9 no. 2 (f), cf. the Personal Data Act § 11. In other cases we will obtain consent, cf. GDPR article. 9 No. 2 (a).
2.3 Knowledge management
Sometimes we prepare templates based on advice we have given in previous cases. Such templates will be anonymized. We also look at previous cases in our ongoing case work and advice to customers. The basis for the treatment is our interest in utilizing experiences and prepared knowledge in further advice, cf. GDPR article 6 no. 1 (f) (balancing of interests).
2.4 Customer administration and invoicing
Time and costs incurred on a case are registered in our accounting system. Contact information that we have received from customers is used for invoicing. For business customers, what we do in connection with customer administration is authorized in GDPR article 6 no. 1 (f) (balancing of interests), while for private customers it is considered a necessary part of fulfilling the agreement with the customer, cf. GDPR article 6 no. 1 (b).
2.5 IT operations and security
Personal information stored in our IT systems may be available to us or to our suppliers in connection with system updates, implementation or follow-up of security measures, error correction or other maintenance. The basis for processing is GDPR article 6 no. 1 (f) (balancing of interests, cf. our legitimate interest related to the mentioned activities) and our legal obligation to have satisfactory information security, cf. GDPR articles 32 and 6 no. 1 (c).
2.6 Information collected via our website
We process personal information that is provided when using our website, to follow up users' inquiries in connection with registration for events, newsletter list, contact form regarding possible assignments and the like. This is typically personal information such as name and contact information. The legal basis for this processing is your consent in connection with the registration or inquiry, cf. GDPR art. 6 No. 1 (a).
2.7 Marketing and newsletters
We process personal information about existing and potential customers and partners for marketing purposes, for example for sending out newsletters, invitations to seminars and events, etc. The information processed for this purpose includes name, e-mail address, telephone number, address and assessments related to possible customer / collaboration relationships.
Newsletters and other marketing are mainly sent to those who have given consent to this by registering via our websites, cf. the Marketing Act § 15 (1) and GDPR article 6 no. 1 (a).
In other cases, the basis for processing is GDPR Article 6 No. 1 (f) (balancing of interests) where we have received the e-mail address in connection with a legal assignment. Our legitimate interest in such marketing activity is to follow up on customers with current legal news and relevant information about our services. If there is an existing customer relationship, the marketing will take place in accordance with the Marketing Act § 15 (3).
You can contact us at any time if you no longer wish to receive this type of inquiry. You can also easily unsubscribe from our newsletter by clicking on the unsubscribe link at the bottom of the electronic newsletter.
We use standardized third-party solutions for obtaining information in connection with a recruitment process. The basis for treatment in this connection is GDPR art. 6 No. 1 (a) (consent). Our agreement with the supplier of the recruitment portal presupposes i.a. strict routines regarding deletion and security.
2.9 Suppliers and partners
We use various suppliers and partners in connection with our legal services. In this connection, we process contact information for contact persons at suppliers and partners. The processing is necessary to fulfill the individual agreement or handle the individual relationship with the supplier or partner. The legal basis for the treatment is GDPR art. 6 No. 1 (f) (balancing of interests).
3. WHOM WE SHARE PERSONAL INFORMATION WITH
We have entered into data processor agreements with the service providers we use, cf. GDPR Article 28. This applies, among other things, to suppliers of case processing systems, accounting systems and other IT systems. For security reasons, we only state the names of suppliers upon direct request.
As part of the fulfillment of the agreement with us, our service providers will be able to process personal data on our behalf, but only in accordance with our instructions and entered into a data processor agreement. We are concerned that our data processors also take privacy seriously and set strict requirements for the suppliers we use. The individual data processors can only use subcontractors if the data processor agreement allows for this. Subcontractors shall always have the same obligations as follows from the data processor agreement with us.
We will only disclose personal information to third parties if this is necessary for the performance of our assignment. These will typically be courts, appellate bodies, etc. In addition, we will only disclose personal information if we are required to do so by public authorities pursuant to law.
We do not disclose personal information in other cases or in other ways than those described in this privacy statement unless the client explicitly encourages or consents to this or the disclosure is required by law.
As a general rule, personal data is not processed or stored outside the EU / EEA. In some cases, the transfer may still be necessary to perform the legal assignment in a responsible manner, or it may take place at the direct request of the client. It can e.g. be the case if the counterparty is outside the EEA. In such cases, we will ensure that the transfer is secure and that there is a valid transfer basis, as a general rule when using the EU's standard agreements for the transfer of personal data to third countries.
Privacy and information security are an integral part of our internal control system. The measures are of a technical, contractual and organizational nature. We make regular assessments of the security of all central systems used for handling personal data, and agreements have been entered into that provide suppliers of such systems to ensure satisfactory information security.
We have adopted an internal IT procedure that all our employees must follow when using our IT systems. We also regularly train employees with regard to security and use of IT systems.
5. STORAGE AND DELETION
We are responsible for knowing who our previous clients have been, cf. the Advocate Regulations, Chapter 12, Section 3.2.4. Personal information related to client relationships will therefore be stored for ten years after the client relationship has ended.
We consider the storage of case information, including personal information, as part of our legal assignment. Electronically stored information will generally be stored for up to ten years. Physical case files are archived on an ongoing basis and shredded as a general rule within ten years after the case has been closed.
Accounting legislation requires us to store certain accounting documents for a specified period of time, normally 3.5 or 5 years. When a specific purpose requires storage for a given period of time, we ensure that the personal data is used exclusively for the relevant purpose during this period.
Information obtained for money laundering purposes is stored for 5 years.
For persons who have agreed to receive our newsletters, the name and email address are stored until the consent is withdrawn or when unsubscribing from the newsletter.
Personal information collected or received in connection with recruitment will normally be deleted within six months, unless you have agreed to further storage in special cases. Applicants can also withdraw their application from the recruitment portal.
Backups of data are deleted continuously after 2 years.
6. YOUR RIGHTS
In connection with our processing of personal data about you, you have certain rights. What rights you have depends on the circumstances.
Withdraw consent: If you have given consent to receive newsletters from us, you can withdraw this consent at any time. We have arranged for you to easily reserve yourself against this type of inquiry by including a link to the deregistration form in each inquiry. If you have consented to other processing of personal data, you can also withdraw your consent at any time for the purpose of this processing by contacting us about this.
Request access: You have the right to access which personal information we have registered about you, as long as the duty of confidentiality does not prevent this. To ensure that personal information is disclosed to the right person, we may require that the request for access be made in writing, or that identity be verified in another way.
Request correction or deletion: You can ask us to correct incorrect information we have about you, or ask us to delete personal information. We will as far as possible accommodate a request to delete personal data, but we can not do this if there are compelling reasons for not deleting, for example that we must store the information for documentation purposes.
Data portability: In some cases, you may have access to personal information you have provided to us in order to have it transferred in a machine-readable format to another law firm or other third party. If it is technically possible, in some cases it will be possible to have these transferred directly to the third party.
Complaint to the supervisory authority: If you believe that our processing of personal data is in breach of privacy legislation, you can complain to the Norwegian Data Protection Authority. Please see https://www.datatilsynet.no/ for more information about privacy legislation.
7. CHANGES TO THE PRIVACY STATEMENT
We update this privacy statement as needed. You will always find the latest version on our website. In the event of significant changes, we will notify you of this.