Last amended 11 March 2019
Personal data is all information and assessments that can be related to an individual and examples of such data include, but are not limited to names, e-mail addresses and telephone numbers.
Whose personal data do we process
Contact persons for our enterprise clients
Contact persons for our suppliers and business partners
Persons involved in cases where we assist
Other persons referred to in case documents to which we gain access
Purpose, types of personal data and legal basis
We have provided an overview below of the purposes for which we process personal data, the types of personal data we process and the legal basis for the processing.
Establishment of client relationships: Before taking on a new client, we carry out a client conflict check in accordance with the Code of Conduct for Lawyers to clarify that we can take on the case. The legal basis for the conflict check is Article 6 c (legal obligation) of the General Data Protection Regulation (GDPR) and Article 6f (balancing of interests: our interest in acting ethically correct). The client conflict check does not basically involve processing personal data for enterprise clients. The processing related to private clients will usually be limited to names and what the case concerns.
Where necessary under the provisions of the Anti-Money Laundering Act, we carry out a client due diligence. A client due diligence usually involves receiving the client’s address and a copy of their passport and, depending on the circumstances, information is gathered about beneficial owners. The anti-money laundering check has a legal basis in Article 6c GDPR (legal obligation).
If we take on the assignment, the client’s contact details, such as name, telephone number, e-mail address, address and identity papers are registered, as well as the corresponding information for the contact persons for our enterprise clients. Registration of contact details for private clients is necessary in order to enter into a contract with the person concerned, cf. Article 6b GDPR (contract). The legal basis for the registration of contact details for enterprise clients is a balancing of interests, cf. Article 6f GDPR (balancing of interests: our interest in communicating with the client).
Case handling: Some attorney assignments mean that we gain access to personal data about parties or other individuals affected by a case. Such information may appear in documents submitted by the client or other correspondence in the case. The legal basis for the processing of personal data in connection with assignments for enterprise clients is Article 6f GDPR (balancing of interests: our interest in providing services to the client) and for private clients, Article 6b GDPR (contract). In a few cases, we gain access to sensitive personal data, such as health details or criminal record. In such cases, the legal basis for our processing is Article 9f GDPR (legal claims), cf. section 11 of the Data Protection Act.
Knowledge management: We sometimes prepare templates based on previous counselling to improve and develop our services. In this case, we will anonymise personal data, unless the template concerns the client in question. The legal basis for this processing is Article 6f GDPR (balancing of interests: our interest in managing knowledge).
Client administration: Separate case files are created for assignments carried out on behalf of the client. Time and costs incurred on a case are registered in our accounting system The legal basis for our client administration related to enterprise clients is Article 6f GDPR (balancing of interests). For private clients, this is deemed a necessary part of fulfilling the contract with the client in question, cf. Article 6b GDPR (contract).
Invoicing: Contact details received from enterprise clients are used on the invoice sent to the enterprise if the client so requests. For private clients, the person in question’s private postal address or billing address is used. The legal basis for enterprise clients is Article 6f GDPR (balancing of interests: our interest in invoicing) and for private clients, Article 6b GDPR (contract).
IT Operations and Security: Personal data stored in our IT systems may be available to us or our suppliers in connection with system updates, implementation or follow-up of security measures, error recovery or other maintenance. The legal basis is Article 6f GDPR (balancing of interests, cf.our legitimate interest related to the said activities) and our legal obligation to ensure satisfactory information security, cf. Articles 32 and 6c GDPR.
Marketing: We occasionally send out newsletters and other relevant information to the e-mail addresses registered to our regular clients and other parties who have requested to receive our newsletters. Newsletter recipients can easily unsubscribe from the service by using the link included in each e-mail. If we have received an e-mail address in connection with an attorney assignment, the legal basis is Article 6f GDPR (balancing of interests: our interest in following-up our clients and providing information about our services), section 15, third paragraph of the Marketing Act. For distribution to others, the legal basis is Article 6a GDPR (consent) and section 15, first paragraph of the Marketing Act.
Recruitment: In connection with recruitment work, we will process certain personal data about the candidate which is used to evaluate the candidate and for communication with the candidate in the recruitment process. This may apply to information sent in an e-mail, obtained from “Arbeidslivsdagene” (Career Event), or via a recruitment agency. The processing is necessary in order to be able to enter into a possible contract for permanent or temporary employment. If the candidate is not hired, we will only keep the information about the candidate if explicit consent is given for this. We have implemented internal routines to limit access to personal data, and personal data will only be shared with employees in the company who participate in the recruitment process.
Suppliers and business partners: In connection with contracts with suppliers and business partners, we will register and process certain personal data, such as contact details, which is deemed necessary to be able to enter into or to fulfil the contract with the person in question. The legal basis is Article 6f GDPR (balancing of interests: our interest in managing relationships with suppliers and business partners,
Who we share personal data with
Attorneys have a duty of confidentiality. All information entrusted to us in connection with an assignment is dealt with confidentially.
Storage of personal data
We normally keep case documents for up to 25 years after the client relationship has ended. Storage for the specified period is deemed necessary for the sake of the client and ourselves, as questions or a dispute may arise at a later date, when the information stored on a case may again become relevant. The legal basis is Article 6f GDPR (balancing of interests: our legitimate interest as specified above) and Article 9f GDPR (legal claims), cf. section 11 of the Data Protection Act.
We usually delete data collected in connection with client due diligence pursuant to the Anti-Money Laundering Act 5 years after the client relationship has ended.
You have rights to personal data relating to you. What rights you have depend on the circumstances.
Withdraw consent: If you have given consent to receive newsletters from us, you may withdraw this consent at any time. We have made it easy for you to opt-out of this type of communication by including a link to an unsubscribe form in each communication. If you have consented to other processing of personal data, you may also withdraw your consent at any time with regard to this processing by contacting us.
Request access: You have the right to be granted access to the personal data we have registered about you, insofar as our duty of confidentiality does not prevent this. To ensure that the personal data are disclosed to the correct person, we may require that a request for access is made in writing or that the person’s identity is verified in some other way.
Request correction or deletion: You may ask us to correct inaccurate personal data or to delete your personal data. We will, as far as possible, accommodate a request to delete personal data, but we cannot do so if their are weighty reasons not to delete the personal data, such as if we must store the data for documentation purposes.
Data portability In some cases, you may have access to receive the personal data you have provided us with in order to have these data transferred in a machine-readable format to another law firm. If technically possible, in some cases it will be possible to have these data transferred directly to another law firm.
Complaints to the supervisory authority: If you disagree with the way in which we process your personal data, you may file a complaint with the Norwegian Data Protection Authority.
We have established procedures to manage personal data securely. The measures are of a technical and organisational nature. We make regular assessments of the security in all our key systems used for handling personal data, and contracts have been entered into that require suppliers of such systems to ensure satisfactory information security.
Access to personal data (and client/case information) has been limited to personnel who require access to perform their duties.
We have adopted internal IT guidelines and provide regular training to our employees with respect to security and use of IT systems.
Aabø-Evensen Advokatfirma AS attn. General Manager Nils Olav Årseth
Office address: Karl Johans gate 27, N-0159 Oslo
Postal address: Postboks 1789 Vika, N-0122 Oslo
Tel.: 47 24 15 90 00