Privacy Notice

This Privacy Notice concerns any processing of personal data carried out by us in the capacity of controller, which is normally the case when we provide legal services. As a controller, we are responsible for ensuring that personal data are used in accordance with applicable data protection legislation.

In this Privacy Notice, you will find information about how we use and protect your personal data as well as your rights in this regard. Personal data are data that relate to you as an identifiable person.

1.    Individuals subject to processing of personal data

We are first and foremost providers of business law advice. Generally, the data we process relate to businesses, not individuals. However, our services will still involve the processing of personal data.

This Privacy Notice describes how we process personal data related to the following data subjects:

• Contact persons with our business clients
• Private clients
• Contact persons with our suppliers and partners
• Persons involved in or mentioned in matters that we handle

2.    How we process personal data

We have listed the typical purposes for our processing of personal data, the categories of personal data we typically process, and the legal bases for the processing below.

Establishing client relationships: When we are contacted by a client requesting our services, we perform a conflict check before taking on the engagement. This is required to ensure that we comply with the rules of professional conduct for lawyers, and the legal basis for performing such a check is provided in the GDPR Article 6c (legal obligation) and Article 6f (legitimate interest: our interest in behaving ethically correct). Such conflict checks do normally not involve the processing of personal data. Processing of personal data only takes place when we take on matters for private clients, or in cases where private individuals have the role of opposing party or a similar role. In such cases, the information is normally limited to the name of these individuals and the nature of the engagement.

Where necessary pursuant to the Norwegian Anti-Money Laundering Act, we will perform a background check of our clients. For this purpose, we process passport information and the client’s address details and we may conduct database searches. The basis for conducting such an anti-money laundering check is provided in the GDPR Article 6c (legal obligation).

If we take on the engagement, we will register the client’s contact details. For business clients, we primarily register the name, telephone number and e-mail address of contact persons. The basis for such processing is provided in the GDPR Article 6f (legitimate interest: our interest in communicating with our client). Correspondingly, we will for any private clients register the name, telephone number, address and e-mail address. The basis for such data processing is provided in the GDPR Article 6b (performance of a contract).

Handling matters: In carrying out legal engagements, we normally process personal data, for example regarding employees and owners of the client’s business or the opposing party’s business, witnesses, the opposing party’s counsel and other individuals involved in the matter. Such data may appear in documents and correspondence (such as letters, e-mails, pleadings, memos, agreements and minutes) prepared or received by us in connection with the case. The basis for processing of personal data in connection with engagements for business clients is provided in the GDPR Article 6f (legitimate interest: our interest in providing services to our clients), whereas the basis in connection with engagements for private clients is provided in the GDPR Article 6b (performance of a contract). In our handling of matters, we occasionally gain access to sensitive personal data, such as health information in employment matters or information concerning violations of the law in matters of financial crime. The legal basis for such processing is provided in the GDPR Article 9f (legal claims) cf. section 11 of the Norwegian Personal Data Act.

Invoicing: Time and costs accrued in a matter are registered in our accounting system. We use the contact details we have received from our clients for invoicing purposes. The legal basis for such processing of personal data in respect of business clients is provided in the GDPR Article 6f (legitimate interest: our interest in invoicing) and for the corresponding processing in respect of private clients in the GDPR Article 6b (performance of a contract).

Marketing: We send out newsletters and event invitations by e-mail to contact persons with our existing clients (clients we have assisted during the course of the last three years), and to others who have expressly requested such communication. The basis for sending such e-mails to contact persons with our existing clients is provided in the GDPR Article 6f (legitimate interest: our legitimate interest in following up our clients by providing legal news and relevant information about our services) cf. section 15(3) of the Norwegian Marketing Control Act. The basis for sending such e-mails to other individuals is provided in the GDPR Article 6a (consent) cf. section 15(1) of the Norwegian Marketing Control Act. Any recipients of our communication items can easily opt out using the link included in our e-mails.

Administration relating to suppliers and partners: In connection with our provision of legal services, we use the services of suppliers and partners. For such parties we register contact details, primarily the name, telephone number and e-mail address of contact persons. The basis for this processing is provided in the GDPR Article 6f (legitimate interest: our interest in administering our relationship with suppliers and partners).

We may also process personal data for purposes that are not incompatible with the original purpose for which the data was collected. This applies for example to storage for accounting purposes, use of information for innovation projects (which generally take place without the use of personal data), and use of information which may be required if we as a law firm become involved in legal proceedings, an acquisition or other kinds of processes.

3.    Parties with whom we share personal data

Lawyers are subject to a duty of confidentiality. Any information which is shared with us in confidence or which we receive in connection with an engagement is handled confidentially.

We share personal data with courts, opposing parties and other advisers where necessary in order to execute the engagement.

The suppliers of our IT services and their sub-suppliers may have access to personal data if such access is necessary for their provision of services to us. We have data processing agreements with such parties ensuring that they do not use such data for their own purposes.

We do not disclose personal data in any other way, unless requested by our clients to do so or unless it is necessary in order to comply with laws or public authority requirements. We do not sell personal data.

4.    Data retention

We retain your personal data as long as this is necessary to fulfil the purposes described in this Privacy Notice. This essentially means the following:

• We retain matter information for a period of up to 20 years. For matters where we have access to data via third-party data rooms, we will normally no longer have access to such data shortly after the completion of the engagement.
• We retain the details of contact persons with our clients for a period of 5 years after the client relationship has ended.
• We retain information collected for anti-money laundering check purposes for a period of 5 years.
• We retain invoice information for a period of at least 5 years.
• We retain the names and e-mail addresses of individuals who have consented to receiving newsletters until such consent is withdrawn.
• We make backup copies of our data, which are continuously deleted after 2 years.

5.    Your rights as a data subject

You have several rights under the current data protection regulations. We have provided a list of these rights below. Please do not hesitate to contact us if you wish to exercise your rights. We will respond to your inquiry as soon as possible, generally within one month at the latest.

Access: You have a general right of access to the personal data concerning you we have registered. Because lawyers are subject to a statutory duty of confidentiality, we cannot grant access to matter information, unless you are a private client and the matter information relates to engagements we have carried out for you.

Rectification and erasure: You have a general right to request that we should rectify any incorrect personal data concerning you and erase personal data concerning you. We will not rectify data and assessments concerning you which you consider to be incorrect, but which we or our clients consider to be correct. We also will not erase information if the continued retention of such information is required (see section 4 above).

Restriction: You have a general right to ask us to restrict (“freeze”) the processing of personal data concerning you, e.g. if you are of the opinion that our processing of your personal data is unlawful and you do not wish us to erase these data pursuant to our procedures for such erasure until the matter has been clarified.

Data portability: You have a general right to request the transfer of personal data concerning you in a common, machine-readable format. Because this only applies to the personal data you have given us and where we process such data on the basis of your consent or an agreement we have with you, this right will probably not be relevant in relation to us.

Objection: You have a general right to object to our processing of personal data concerning you if this is justified by special circumstances on your part. You also have the right to object to us using data concerning you for marketing purposes, and you can do this for example by using the link included in our e-mails.

We do not carry out automated decision-making or profiling.

Right to complain to the Norwegian Data Protection Authority (Datatilsynet): If you do not agree with the way in which we process your personal data, you may lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet). We ask that you contact us beforehand, so that we may clarify any misunderstandings.

6.    Security

We have implemented technical and organisational security measures in order to ensure that we handle personal data in a secure manner. We perform regular assessments of the security of all of our systems used for the handling of personal data, and have entered into agreements instructing the suppliers of such systems to ensure an adequate level of data security.

In cases where the disclosure of data, as described in section 3, involves the transfer of data outside the EEA, we implement measures to protect the personal data, such as entering into agreements on the basis of the EU standard contractual clauses with the recipient. You can read more about the EU standard contractual clauses here and about Privacy Shield here, and you can contact us to receive a copy of these agreements (from which we will remove all confidential information).

7.    Amendments to this Privacy Notice

We may amend this Privacy Notice from time to time. You will be notified if we make any significant amendments. The most up-to-date version of our Privacy Notice is available on our website.

8.    Cookies

We use cookies on our website. For more information regarding our use of cookies, see our cookie policy.

9.    Contact details

Please contact us if you have any questions or comments or if you wish to exercise your rights. Our contact details are as follows:

Advokatfirmaet Wiersholm AS
P.O. Box 1400 Vika, NO-0115 Oslo, Norway
E-mail: firma@wiersholm.no

Tel.: +47 21 02 10 00