Data privacy policy for Aabø-Evensen & Co Advokatfirma AS

Last amended 11th of September 2020

This data privacy policy applies to personal data that Aabø-Evensen & CO Advokatfirma AS (“we” or “us”) collects and processes. We are the data controller for the processing activities carried out by or on behalf of us, as described in this policy. You will find our contact details below. We are committed to safeguarding the privacy of our clients and other interested parties in a secure manner and in accordance with the applicable data protection legislation at any time. 

Personal data is all information and assessments that can be related to an individual and examples of such data include, but are not limited to names, e-mail addresses and telephone numbers. 


Whose personal data do we process

This Data Privacy Policy applies to personal data we process about the following persons:

  • -Private clients

  • -Contact persons for our enterprise clients

  • -Contact persons for our suppliers and business partners

  • -Persons involved in cases where we assist 

  • -Other persons referred to in case documents to which we gain access

  • -CEO's, board members, owners or other relevant contact persons in companies we want to address in the event of a potential or current transaction or assignment.

  • -Other persons who, through contacting us either through our website, email, telephone or otherwise, make it necessary for us to process personal data in order to handle and respond to the inquiry.

Purpose, types of personal data and legal basis

We have provided an overview below of the purposes for which we process personal data, the types of personal data we process and the legal basis for the processing.

We process information such as names, addresses, date of birth / year, social security number, telephone number, e-mail addresses, shareholder / ownership structure, position / roles in companies, as well as any other case-related personal information.

Establishment of client relationships: Before taking on a new client, we carry out a client conflict check in accordance with the Code of Conduct for Lawyers to clarify that we can take on the case. The legal basis for the conflict check is Article 6 c (legal obligation) of the General Data Protection Regulation (GDPR) and Article 6f (balancing of interests: our interest in acting ethically correct). The client conflict check does not basically involve processing personal data for enterprise clients. The processing related to private clients will usually be limited to information in connection with names and what the case concerns. 

Where necessary under the provisions of the Anti-Money Laundering Act, we carry out a client due diligence. A client due diligence usually involves receiving the client’s address and a copy of their passport with the personal information it contains, and depending on the circumstances, information is gathered about beneficial owners of companies that are relevant to assist or who are involved in transactions. Processing of personal data in connection with the anti-money laundering check has a legal basis in Article 6c GDPR (legal obligation).

If we take on the assignment, the client’s contact details, such as name, telephone number, e-mail address, address and identity papers are registered, as well as the corresponding information for the contact persons for our enterprise clients. Registration of contact details for private clients is necessary in order to enter into a contract with the person concerned, cf. Article 6b GDPR (contract). The legal basis for the registration of contact details for enterprise clients is a balancing of interests, cf. Article 6f GDPR (balancing of interests: our interest in communicating with the client).

Case handling: Some attorney assignments mean that we gain access to and process personal data about parties or other individuals affected by a case. Such information may appear in documents submitted by the client in writing or verbally or other correspondence in the case. The legal basis for the processing of personal data in connection with assignments for enterprise clients is Article 6f GDPR (balancing of interests: our interest in providing services to the client) and for private clients, Article 6b GDPR (contract). In a few cases, we gain access to sensitive personal data, such as health details or criminal record. In such cases, the legal basis for our processing is Article 9f GDPR (legal claims), cf. section 11 of the Data Protection Act. 

Knowledge management: We sometimes prepare templates based on previous counselling to improve and develop our services. In this case, we will anonymise personal data, unless the template concerns the client in question. The legal basis for this processing is Article 6f GDPR (balancing of interests: our interest in managing knowledge). 

Client administration: Separate case files are created for assignments carried out on behalf of the client. Time and costs incurred on a case are registered in our accounting system The legal basis for our client administration related to enterprise clients is Article 6f GDPR (balancing of interests). For private clients, this is deemed a necessary part of fulfilling the contract with the client in question, cf. Article 6b GDPR (contract). 

Invoicing: Contact details received from enterprise clients are used on the invoice sent to the enterprise if the client so requests. For private clients, the person in question’s private postal address or billing address is used. The legal basis for enterprise clients is Article 6f GDPR (balancing of interests: our interest in invoicing) and for private clients, Article 6b GDPR (contract). 

IT Operations and Security: Personal data stored in our IT systems may be available to us or our suppliers in connection with system updates, implementation or follow-up of security measures, error recovery, support or other maintenance. The legal basis is Article 6f GDPR (balancing of interests, cf.our legitimate interest related to the said activities) and our legal obligation to ensure satisfactory information security, cf. Articles 32 and 6c GDPR. 

Marketing: We occasionally send out newsletters and other relevant information to the e-mail addresses registered to our regular clients and other parties who have requested to receive our newsletters. Newsletter recipients can easily unsubscribe from the service by using the link included in each e-mail. If we have received an e-mail address in connection with an attorney assignment, the legal basis is Article 6f GDPR (balancing of interests: our interest in following-up our clients and providing information about our services), section 15, third paragraph of the Marketing Act. For distribution to others, the legal basis is Article 6a GDPR (consent) and section 15, first paragraph of the Marketing Act. 

We collect, receive and process personal data in connection with marketing related work. This is done in the form of processing of names, telephone numbers, e-mail addresses / postal addresses, date of birth, ownership / shareholder relations and roles in companies / businesses, based on publicly available information on relevant persons / contacts who may be interested in our services.

Recruitment: In connection with recruitment work, we will process certain personal data (i.e. contact information, date of birth, transcripts, diplomas, certificates and such) about the candidate which is used to evaluate the candidate and for communication with the candidate in the recruitment process. The processing is necessary in order to be able to enter into a possible contract for permanent or temporary employment. If the candidate is not hired, we will only keep the information about the candidate if explicit consent is given for this. We have implemented internal routines to limit access to personal data, and personal data will only be shared with employees in the company who participate in the recruitment process. 

Administration of suppliers and business partners: In connection with our contact and contracts with suppliers and business partners, we will register and process certain personal data, such as contact details of contacts at supplier / partner. This is deemed necessary to be able to enter into / fulfill an agreement, contact or manage the relationship with the supplier / partner in question. The legal basis is Article 6f GDPR (balancing of interests: our interest in managing relationships with suppliers and business partners,

Who we share personal data with

Attorneys have a duty of confidentiality. All information entrusted to us in connection with an assignment is dealt with confidentially.

Our IT service providers including CRM solution, web services, etc. may have access to personal data if the personal data is stored with the IT service provider or is otherwise available to the IT service provider in accordance with the contract with us. We have data processing agreements with our suppliers which ensure that the suppliers may only use personal data for the purposes we have determined and as stated in the Data Privacy Policy. Our CRM solution provider utilizes data centers in the EU, but may have access to these and the personal data stored there, from third countries. Our supplier is located in the USA, and through data processor agreements with its customers, has committed itself to adequate protection mechanisms for the transfer of personal data based on the EU Standard Contractual Clauses (SCCs). Subcontractors may also be used which must have a corresponding level of protection.

We do not disclose personal data in other cases or in ways other than those described in this Data Privacy Policy, unless the client explicitly requests or consents to this or the disclosure is required by law.

Storage of personal data

We normally keep case documents for up to 20 years after the client relationship has ended. Storage for the specified period is deemed necessary for the sake of the client and ourselves, as questions or a dispute may arise at a later date, when the information stored on a case may again become relevant. The legal basis is Article 6f GDPR (balancing of interests: our legitimate interest as specified above) and Article 9f GDPR (legal claims), cf. section 11 of the Data Protection Act. 

We usually delete data collected in connection with client due diligence pursuant to the Anti-Money Laundering Act 5 years after the client relationship has ended. 

Your rights

You have rights to personal data relating to you. What rights you have depend on the circumstances.

Withdraw consent: If you have given consent to receive newsletters from us, you may withdraw this consent at any time. We have made it easy for you to opt-out of this type of communication by including a link to an unsubscribe form in each communication. If you have consented to other processing of personal data, you may also withdraw your consent at any time with regard to this processing by contacting us.

Request access: You have the right to be granted access to the personal data we have registered about you, insofar as our duty of confidentiality does not prevent this. To ensure that the personal data are disclosed to the correct person, we may require that a request for access is made in writing or that the person’s identity is verified in some other way.

Request correction or deletion: You may ask us to correct inaccurate personal data or to delete your personal data. We will, as far as possible, accommodate a request to delete personal data, but we cannot do so if there are weighty reasons not to delete the personal data, such as if we must store the data for documentation purposes.

Data portability: In some cases, you may have access to receive the personal data you have provided us with in order to have these data transferred in a machine-readable format to another law firm. If technically possible, in some cases it will be possible to have these data transferred directly to another law firm.

Complaints to the supervisory authority: If you disagree with the way in which we process your personal data, you may file a complaint with the Norwegian Data Protection Authority.


We have established procedures to manage personal data securely. The measures are of a technical and organisational nature. We make regular assessments of the security in all our key systems used for handling personal data, and contracts have been entered into that require suppliers of such systems to ensure satisfactory information security. 

Access to personal data (and client/case information) has been limited to personnel who require access to perform their duties. 

We have adopted internal IT guidelines and provide regular training to our employees with respect to security and use of IT systems.


Our website and other digital services we manage use cookies and similar technologies such as pixels on your browser. These cookies help us understand how our website is used and customize the website based on choices you've made before. We use this information to improve and personalize your online experience and to analyse and measure visitors of both our website and other media. Reference is also made to what is described above about what information can be processed, the purpose of the processing and our data processors who process the information.

The cookies we use are as follows:

  • -Google Analytics: web statistics. Used to track users across multiple pageviews for web analytics.
  • -Google AdWords: conversion tracking and remarketing. Used to a) measure conversions and b) show targeted ads based on content you've seen on our digital channels.
  • -Facebook: social buttons, conversion tracking and retargeting. Used to a) display social buttons in digital channels, b) measure conversions, and c) show targeted ads based on content you read in our channels.
  • -LinkedIn: social buttons, conversion tracking and retargeting. Used to a) display social buttons in digital channels, b) measure conversions, and c) show targeted ads based on content you read in our channels.
  • -HubSpot: CRM, web statistics and profiling. Used as a CRM in addition to tracking users across multiple pageviews for analysis, marketing and sales.

More about social buttons: As described above, we have social icons / buttons on our website (Facebook, LinkedIn, Instagram). Pressing a button will take you to the site that belongs to that icon. We have this implemented on our website for analysis and advertising purposes. Please note that both Facebook, LinkedIn and Instagram can process information about you as you leave our site and are transferred to the icon / button owners.

If you decline, your information will not be tracked when you visit our site. A single cookie is used to remember your preference not to be tracked.

Amendments to the Data Privacy Policy

We may make minor amendments to this Data Privacy Policy. The latest version is always available on our website. We will notify of any material amendments.

Contact us

If you have any questions or comments about our Data Privacy Policy or you would like to exercise your rights, please contact us.

Aabø-Evensen Advokatfirma AS attn. CEO, Torstein Schroeder
Office address: Karl Johans gate 27, N-0159 Oslo
Postal address: Postboks 1789 Vika, N-0122 Oslo
Tel.: 47 241 59 000