PRIVACY POLICY
Hansson Law firm (“Hansson” or “we”) is concerned with shielding our clients privacy with the highest form of safety, confidentiality and security. This privacy policy applies to our processing of personal data that we access through all our legal services. As data controller we have a responsibility to ensure that your data is handled and managed responsibly in accordance with the applicable privacy laws. The applicable rules and regulations include, but is not limited to, EU’s Regulation 2016/679 («GDPR»), the Personal Data Act with all associated regulations as well as rules for law firm practices set forth in the Courts of Justice Act.
This privacy policy contains information about how we process and protect your personal data and what rights you have.
1. Who we process personal data about
We offer legal services to all forms of businesses and individuals. All our services, regardless of the type of principal, will entail personal data processing.
The privacy policy applies for the collection and processing of personal data for the following persons or group of persons:
Contact persons with our business clients
Beneficial owners with our business clients
Private clients/ individuals
Contact persons with our uppliers and partners
Other people involved in or mentionefd in cases we handle
2. How we collect and process personal data
2.1 Establishing client relationships
When we are contacted by a client (existing or prospective), we always perform a conflict check before taking on the assignment. This is required to ensure that we comply with the Rules of Conduct, and the legal basis for such a check is pursuant to GDPR Article 6c and Artikkel 6f. Normally conflict checks do not entail collection or processing of personal data. But some personal data must be collected or processed, such as the client’s name (if it’s a prospective client), if the vclient is a business; who is the business representative, what does the case regard and potential relations to other people, clients or partners we have.
In addition, it’s normally always required to perform a so-called client background check pursuant to the Money Laundering Act. For this purpose we need full name, address, e-mailaddress, date of birth and personal security number or D-number for private clients and others who represent the client (typically the chairman of the board or CEO) identification papers on private clients or those who represent the client as well as certificate of registration/ incorporation of a business client.
Beyond background and conflict check, when it is called for, we will collect case pertinent personal data about the client, opposing parties and others who are affected or involved, as well as any other information relevant for performing the services. Legal assignments often means collecting sensitive personal data, such as medical or financial information.
The purpose of the collection and processing of personal data is to perform our assignments in a secure, proper and suitable manner, according with the interests of the client and applicable regulations.
The legal basis for our collection and processing of personal data is normally that it is necessary to fulfill our obligations toward the client in accordance with the agreement on legal services (GDPR Art. 6 no. 1 b) or that the processing is necessary to uphold a legal obligations we are subjected to (GDPR Art. 6 no. 1 c). Processing may also be based on processing being necessary to safeguard the objectives pursued by Hansson Law firm (GDPR Art. 6 no. 1 f). Ultimately, processing may be based on consent from the registered (GDPR Art. 6 no. 1 a).
2.2 Case handling
In carrying out legal assignments, we normally gain access to and process personal data, for instance regarding owners of businesses we represent, regarding private individuals we represent, regarding opposing parties, witnesses and other involved in the case. Such information may typically appear in documents and correspondence we receive, prepare or re-distribute as part of a case. Processing of personal data in cases for business and private clients have legal basis either in GDPR Art. 6 no. 1 f or b. When we gain access to sensitive personal data, such as medical information, the legal basis for processing is GDPR Art. 9 no. 1 f, pursuant to the Personal Data Act Art. 11.
2.3 Filing/ storing of case documents
We file all case documents and correspondence for 10 years after the case is completed. Personal data regarding the client is filed for 10 years after inactivity from the client. When a case is completed, it is transferred to an archive. Initially a physical archive, then an electronic one. Processing of personal data for filing purposes is based on GDPR Art. 6. no. 1 f.
2.4 Invoicing
Contact information we have received from our clients is used for invoicing purposes. The legal basis for such retention and use is GDPR Art. 6 no. 1 f and b.
3. Parties with whom we share personal data
Lawyers are subject to a strict, statutory pledge of confidentiality. All information entrusted to us or that we become aware of in connection with any assignment, is handled with the utmost confidentiality. There is no Statute of Limitations on the pledge of confidentiality.
Wes hare personal data with the courts, opposing parties, authorities, finance institutions or others when it’s required in connection with a case.
Our suppliers of IT-services and their subcontractors may have access to personal data if it is necessary to deliver their services to us. We have data processing agreements with all main- and subcontractors ensuring that personal data is neither mismanaged nor distributed to outsiders.
We never disclose personal data in other situations unless the client expressly instricts us of it or it is necessary to comply with laws or public authority requirements.
4. Data retention
As lawyers, we are subject to certain duties and guidelines for storing data and case documents. Personal data and case documents are stored for 10 years following inactivity in the client relationship or completion of a case, unless consent or agreement for prolonged storage is obtained.
Storing means both physical and electronic documents.
We store personal data as long as it is necessary to fulfill the purposes described in the privacy policy or the purposes behind the collection.
5. Your privacy rights
You have several rights under the applicable privacy regulation. Please do not hesitate to contact us if you wish to exercise your rights, see contact details under section 9 below.
As registered, you have, with some exceptions, the following rights:
- To have confirmed if personal data about you is stored with us, and if yes, to have access to the data and information about processing. The right of access is however limited; because we are subject to statutory pledge of confidentiality we cannot grant access to case information unless you are a private client, the information regards you and the case information regards assignments we have performed for you. You are entitled to have the information communicated on a suitable medium.
- To have incorrect or incomplete information about you corrected or completed, without undue delay.
- To have personal data regarding yourself deleted. This applies however only with certain conditions. We cannot delete information for which we have probable cause and legal basis for storing, or information necessary to uphold a certain need or purpose, see section 4.
- To demand limitation of the processing.
- You have a general right to object to our processing of your personal data.
- If you disagree with the manner we are processing your personal data, you can appeal to the Norwegian Data Protection Authority (“Datatilsynet”). We kindly ask that you contact us beforehand, so that we may clarify any misunderstandings.
- To withdraw consent given to us.
Hansson does not carry out automated decision-making or profiling.
6. Security
We have implemented necessary technical and administrative measures in order to ensure that your personal data is collected, processes and stored in a properly safe and secure manner. We take our responsibility very seriously. We have entered into agreements with all our suppliers to ensure satisfactory data- and information security.
In cases where disclosure of data, as described in section 3, involves transfer of data outside the EEA, we implement measures to protect the personal data, such as ensuring that the recipient is Privacy Shield-certified or in other ways complies with EU’s standards for information security.
We never disclose personal data where such disclosure will violate statutory duty of confidentiality.
7. Amendments to this privacy policy
This privacy policy statement is updated on February 20, 2020, and will be updated when necessary. We encourage everyone to read the statement from time to time.
8. Contact information
Please contact us if you have questions, coments or wish to exercise your rights. You may use the following contact information:
Advokatfirmaet Hansson AS
Pilestredet 17, N-0164 Oslo
E-mail: post@hanssonlaw.no
Phone: +47 22 44 44 34