As a data controller, we process personal data as described in this statement. The statement also describes your rights as a data subject pursuant to EU’s General Data Protection Regulation 2016/679 (“GDPR”) and Norwegian data protection legislation.
This Privacy Statement applies for 1,5 Advokatfirma AS (“we” or “us”). We take data protection seriously and treat personal data in a secure and legal manner.
Whose personal data we process
We primarily provide legal services to businesses, not to individuals. Nonetheless, it is necessary for us to process personal data. This statement applies to our processing of personal data about the following persons:
- Contact persons and beneficial owners of business clients (corporations and other legal persons)
- Private clients (natural persons)
- Contact persons of our suppliers and partners
- Persons that are involved in or mentioned in matters we deal with
Purposes, types of personal data and legal basis for processing
Below is an overview of the purposes for which we process personal data, the types of personal data we typically process, and the legal basis for our data processing.
Establishment of client relationships
When contacted by a client with a request for an assignment, we carry out an independence check (conflict clarification) before agreeing to the assignment. This is necessary to ensure that we comply with the Norwegian Code of Conduct for Lawyers, and the legal basis is GDPR Article 6 (1) c (legal obligation) and Article 6 (1) f (balancing of interests: our interest in acting ethically correct). Conflict checks related to business clients (legal persons) will normally not involve the processing of personal data. If our client or the opposing party is a natural person, conflict checks will involve this person’s full name and what the matter concerns.
We conduct customer due diligence when required by the Norwegian Money Laundering Act. For this purpose, we search databases and public registers, and verify the identity of the client or the client’s contact person, normally using BankID or another valid electronic ID. We also collect the identity of the beneficial owners of the client. On natural persons, we collect the full name, personal identity number or D-number and address. If the person has no Norwegian personal identity number or D-number, we will collect the date of birth, place of birth, gender and citizenship. Customer due diligence is necessary to fulfil our legal obligations under the Money Laundering Act, and the legal basis for processing is GDPR Article 6 (1) c.
If we can undertake the assignment, contact information is registered. For our business clients, we register the contact persons' name, phone number and email address. Such registration is necessary in order to provide legal services and is based on Article 6 (1) f of the GDPR (balancing of interests: our interest in dialogue with the client). Similarly, for any private clients we will register the client's name, phone number, address and email address. This registration is necessary for the performance of our contract with the client, cf. GDPR Article 6 (1) b.
We may, during legal assignments, get access to personal data about parties or other individuals involved in the matter. Such information may appear in documents sent to us by the client or other correspondence in the matter. The processing of personal data in connection with assignments for business clients is based on our legitimate interest in providing legal services, cf. GDPR Article 6 (1) f . When we act for private clients, such processing is based on GDPR Article 6 (1) b (agreement). In some cases, we may access sensitive personal data, such as health information or information about violations of the law. Our processing of such information is based on GDPR Article 9 (2) f (necessary for the establishment, exercise or defence of legal claims).
In order to improve and further develop our services, we may develop templates based on earlier advice. When preparing templates, we will anonymise the personal data. We will also look to past cases when we give advice. Any processing of personal data in this connection is based on our legitimate interest in leveraging accrued knowledge when we provide legal services, cf. GDPR Article 6f GDPR (balancing of interests).
Time and costs incurred on a case are recorded in our accounting system. Contact information that we have received from clients is used for invoicing. For business clients, any processing we do in connection with client administration is based on GDPR Article 6 (1) f (balancing of interests). For private clients, the legal basis is GDPR Article 6 (1) b (agreement).
Archiving of case documents
We will keep the documents and correspondence of the case after the assignment has ended, normally for ten years. Archiving of case documents for such time is necessary both for our clients and for us, because questions or disputes may arise where documentation from previous cases can be relevant. The legal basis for the processing of personal data for archiving purposes is GDPR Article 6 (1) f (balancing of interests) and GDPR Article 9 (2) f (necessary for the establishment, exercise or defence of legal claims).
IT operations and security
Personal data stored in our IT systems may be available to us or our suppliers in connection with system updates, implementation or following up of security measures, troubleshooting or other maintenance. The legal basis is GDPR Article 6 (1) f (balancing of interests, cf. our legitimate interest in said activities) and our legal obligation to have an appropriate level of security, cf. GDPR Articles 32 and 6 (1) c.
We send newsletters and event invitations by email to contact persons of our existing clients (clients we have assisted in the last three years), as well as to others who have requested to receive our newsletter. For emails sent to contact persons of existing clients, our legal basis is GDPR Article 6 (1) f (balancing of interest: our legitimate interest in following up clients on legal news and providing relevant information about our services), cf. section 15 (3) of the Norwegian Marketing Act. For emails sent to other persons, our legal basis is GDPR Article 6 (1) a (consent), cf. section 15 (1) of the Norwegian Marketing Act. All recipients of our emails can easily opt out by sending us an email or by using the link included in each e-mail.
Website administration and cookie use
Cookie use requires your consent. Advanced browser settings to the effect that you accept cookies are considered to be consent. You may change your browser settings at any given time if you do not want to accept a cookie. For more information on cookies and how you may change your browser settings, see https://nettvett.no/informasjonskapsler/.
Lawyers are subject to a strict statutory duty of confidentiality. Everyone who works at 1,5 Advokatfirma AS is subject to a duty of confidentiality.
It may nonetheless be necessary for us to disclose personal data to the following persons:
Counterparties, courts and supervisory bodies
We disclose contact details and case details to involved parties in connection with legal disputes and other legal matters if necessary for the case. We do not disclose personal data if such disclosure would violate our duty of confidentiality.
Our suppliers (IT services, administrative services, etc.)
We use suppliers of IT systems and other administrative services that process personal data on our behalf. We always conclude data processing agreements with suppliers to ensure that we are in compliance with statutory requirements when we disclose personal data, for example that the data are stored in a secure manner, that they are stored in Europe and that they are not used for any other purpose.
Our disclosure of personal data to data processors may in some situations mean transfer out of the European Economic Area (“EEA”). We implement measures to protect the data, such as entering into agreements with the processor based on EU’s standard contractual clauses. You can read more about EU’s standard contractual clauses here.
We do not disclose personal data to any other person than those mentioned above, unless we are under a statutory obligation to disclose such data.
Please note that a client may be the data controller for any processing of data carried out by the client at its own initiative.
Storing of personal data
When it is no longer necessary to process personal data for the purpose for which these were collected, we will erase or anonymise such personal data.
We erase or anonymise personal data in accordance with the following procedures:
- We retain invoicing details and personal data in relation to client due diligence for such period as is required under statutory requirements laid down in the bookkeeping legislation and the anti-money laundering legislation.
- We normally retain all files and documents in relation to a case, for example case details, archives, files, documentation and contact details, for ten years.
If we process your personal data, you are a data subject. As a data subject, you have the rights stated below. Please note that your rights may be subject to exceptions and limitations.
Withdrawal of consent
If you have agreed to receive news letters or invitations from us, or to other forms of processing of personal data, you may at any time withdraw such consent.
You have the right to know which of your personal data we process, unless such disclosure to you would amount to a breach of our duty of confidentiality as lawyers. We may ask you to request access in writing or to provide proof of identity in order for us to be certain that you are who you claim to be.
Correction or deletion
You have the right to ask us to correct any incorrect personal data concerning you that we process and to ask us to delete your personal data. We will comply with requests for deletion unless deletion is in conflict with pressing needs, for instance that we have a legitimate need for continued retention.
You have the right to object to our processing of your personal data.
You may request that we restrict the processing of your personal data.
You generally have the right to have personal data on you transferred in a commonly used machine-readable format. As this only applies for personal data you have provided to us, which we process based on your consent or a contract with you, it is unlikely that this right is applicable in respect of our data processing.
Complaint to the Norwegian Data Protection Authority
If you disagree with the way we process your personal data, you may lodge a complaint with the Data Protection Authority.
We have implemented technical and organisational security measures in order to ensure that we process personal data in a secure manner . We make regular assessments of the security of all systems used for the processing of personal data, and agreements have been entered into that require suppliers of such systems to ensure satisfactory information security.
Access to personal data (and client/matter information) is restricted to personnel who need access in order to carry out their tasks. We have adopted an internal IT policy, and we regularly train employees in IT security and proper use of our IT systems.
Changes to this Privacy Statement
We may make minor changes to this Privacy Statement. You will always find the latest version on our website. Any major changes will be notified specifically.
If you should have any questions or comments to our Privacy Statement or if you wish to exercise your rights, please contact us at firstname.lastname@example.org or +47 480 12 118.