Introduction
This Privacy Notice has been prepared by Advokatfirmaet InterJuris DA (“InterJuris”) to ensure that you receive the information we are required to provide to you and which is necessary for you to exercise your rights under the General Data Protection Regulation (Regulation (EU) 2016/679) and Norwegian data protection legislation (together “Data Protection Legislation“).
This Privacy Notice describes how InterJuris processes personal data about you, the purpose of our processing activities and the legal basis for our processing activities. This Privacy Notice also describes your rights in connection with our processing of your personal data under applicable Data Protection Legislation.
Generally about personal information
Personal data means any information relating to an identified or identifiable natural person (a “data subject”). Your name, phone number, address and e-mail address are examples of information which generally is regarded as personal data.
Who we process personal data about
This Privacy Notice addresses our processing of personal data about the following persons:
InterJuris’s responsibility as a controller
As a “controller” InterJuris is responsible for our processing of your personal data. We also act as a controller when we process personal data in connection with our provision of legal services to our clients. Please note however, that the client is responsible for the processing activities the client conducts independently of us.
As controller, InterJuris is responsible for complying with the Data Protection Legislation when we process your personal data.
We will rarely process personal data as a data processor, and will in these events enter into a data processing agreement (in accordance with GDPR Article 28) with the applicable controller.
What kind of personal data do we collect and process?
Legal services etc.
We collect, generate and process the following personal data when we provide legal services, or in connection with the establishment and administration of our relationship with the client:
Contact details: If you are the client’s contact person or a private client (a client who is a physical person) we will collect and process your contact details, i.e. your name, email address, postal address, phone number and job title.
Billing Information: We store information regarding the assistance we have provided to you (including the timing of our assistance), whether we have issued our invoices to you by email or ordinary email (or through any other systems), whether or not you have paid the relevant invoices, and in the event of a payment default, information regarding our use of a debt collector.
Identification control: We are required to undertake a client/identification control if the client relationship or our legal services fall within the scope applicable legislation regarding anti-money laundering. We will in connection with a client/identification control collect documentation and information that confirms the client’s identity (such as valid ID), as well as the identity of the owners of the client (if the client is a legal person). We will also collect personal data about the purpose and nature of the client relationship. If you are a private client, we will collect your full name, birth number or D-number and address. If you do not have a birth number or D-number, we will collect information about your date of birth, place of birth, gender and citizenship. If the client is a legal person who is not registered in a public register, we will obtain personal data about the CEO, business manager, proprietor or equivalent contact person. After establishing the client relationship, registered information and obtained documentation will be subject to ongoing updates and verification as long as the client relationship exists.
Documents, archives and records: We will obtain, collect and generate documentation when we provide legal services and represent our clients. These documents, archives and records may include personal data regarding a person’s affiliation with the relevant case. This personal information may be about private clients, the client’s or opposite party’s contact persons, employees, and representatives, as well as other third parties who have had an affiliation with the case.
The Purpose of our processing of personal data
We process the personal data specified above in this Privacy Notice for the purpose of establishing and administrating the client relationship, for the purpose of providing our legal services, for billing purposes and for the purpose of enabling us to store documents and archive. We also process contact information, billing information and undertake client/identification controls for the purpose of complying with InterJuris’s statutory duties. We will furthermore process the contact details of our clients and potential clients for the purpose of conduction conflict checks.
What is our legal basis for processing personal data?
If you are a private client (a client who is a physical person), we will process your contact information, billing information and any personal data included in the relevant matter-related documents, archives and records which we collect and/or generate (as described above) because the processing is necessary for the performance of the client engagement.
If you are the client’s contact person (e.g. if the client is a legal person), we will process the aforementioned personal data based on InterJuris’s legitimate interests as a law firm providing our legal services to the client, and administrating our relationship with the client. We do not consider our legitimate interest to be overridden by the interests of the data subjects affected by the foregoing processing activities. We may also process the personal data of other data subjects than the client or the client’s contact persons (as described above) based on our legitimate interests in providing legal services, and to enable the client to establish, exercise or defend legal claims. If we in the course of our performance of legal services process special categories of personal data, then the processing will be carried out because it is necessary for the client’s establishment, exercise or defense of legal claims.
We also process billing information and undertake client/identification controls (as described above) in order to fulfill our statutory duties in relation to inter alia anti-money laundering legislation, Norwegian bookkeeping legislation, and to comply with requirements enacted on the basis of the Norwegian Courts of Justice Act. We will not be able to establish a client relationship with you, or provide legal services to you without processing the foregoing information.
Does InterJuris transfer or disclose your data to third parties?
We use external service providers to assist with IT services and other administrative support services. These service providers will act as data processors on behalf of InterJuris. We have entered into data processing agreements with our data processors which inter alia obligates the data processor to implement technical and organizational measures to ensure an appropriate level of security, confidentiality and integrity, as well as to only process the relevant personal data in accordance Data Protection Legislation.
Contact information and any personal data included in the relevant matter-related documents, archives and records which we collect and/or generate (as further described in Section “InterJuris’s responsibility as a controller”), may be disclosed to counterparties, courts and supervisory bodies in connection with our preparation for proceedings, defense of claims, or otherwise in connection with the performance of our legal services. We will however, not disclose your information to any third party, if the disclosure will violate our statutory duty of confidentiality.
We will not disclose your personal data to any other third parties than the third parties described above, unless required to do so under applicable law or as required under a court order.
Data retention
We will delete or anonymize personal data when they are no longer necessary in relation to the purposes for which they were collected or otherwise processed, or as otherwise required under the Data Protection Legislation. We will furthermore delete or anonymize personal data in accordance with the following criteria:
Billing information and personal information related to client/identification controls will be stored in the period of time prescribed by statutory requirements, inter alia the Norwegian Bookkeeping Act and anti-money laundering legislation;
Personal data included in case related information, documentation, records and archives will normally be stored for ten years. We will as a result normally also store contact information obtained from the client for a ten year period. The foregoing applies to all files, records and documentation kept by us, except for documents that are deposited with us, typically wills and similar type of documents.
Your data protection rights
Under Data Protection Legislation, you have certain rights we need to make you aware of. The rights available to you inter alia depend on our reason for processing your personal data. You have the following rights in connection with our processing of your personal data:
Access: You may contact us if you want to obtain confirmation with respect to whether or not we are processing your personal data, as well as access to- and further information regarding our processing of your personal data. However, please note that your right of access will not apply if we are prohibited to give you such access due to our statutory duty of confidentiality.
Rectification: You may request us to rectify and/or complete inaccurate or incomplete personal data.
Erasure: You may request that we erase your personal data. We will respect and comply with your request unless we inter alia are prohibited from deleting your personal data under mandatory retention requirements, or the personal data is necessary for the establishment, exercise or defense of legal claims.
Restriction of processing: You may also request the restriction of our processing of your personal data in accordance with Data Protection Legislation. If the processing has been restricted, such personal data will, with the exception of storage, only be processed with your consent or for the exercise or defense of legal claims or for the protection of the rights of another person or for reasons of important public interest.
Right to object: You are entitled to object to certain processing activities, including for example processing of your personal data for marketing purposes. You are furthermore on grounds relating to your particular situation (for example, a specific need for protection of your identity), entitled to object to processing of personal data based on legitimate interests, which we will comply with, unless there exists compelling legitimate grounds for our processing which override your interest, or if our processing is necessary for the establishment, exercise or defense of legal claims.
Data Portability: If we process your personal data based on consent or based on our performance of a contract, and the processing is carried out by automated means, you may request us to transfer the personal data to you or another controller, in a structured, commonly used and machine-readable format.
Please note that our statutory duty of confidentiality may prohibit us from giving you access to your personal data. You may also be prevented from exercising the other rights described above, in the event that the relevant personal data falls within the scope of our statutory duty of confidentiality. You can read more about lawyer’s duty of confidentiality on the Norwegian Bar Association’s website: www.advokatforeningen.no.
Please contact us at the below listed contact information if you wish to make a request. Please also note that we may request the provision of additional information, if such information is necessary to confirm your identity.
Security
As a controller InterJuris is responsible for the security and confidentiality of the personal data we process. We are furthermore responsible for implementing appropriate technical and organizational measures to ensure an appropriate level of security of processing.
The Norwegian Data Protection Authority and other supervisory authorities
The Norwegian Data Protection Authority has inter alia been established to supervise the Norwegian companies’ processing of personal data. You may contact us at any time if you have any information or complaints regarding our processing of your personal data. You may also file a complaint with the Norwegian Data Protection Authority, or a data protection authority in the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged data protection infringement. You can obtain the contact details of the Norwegian Data Protection Authority on their website.
Changes
We may, from time to time, revise this Privacy Notice for example due to changes in our processing activities, applicable Data Protection Legislation or other legislation which may affect our processing of personal data. An updated version of this Privacy Notice will be published on our website if any revisions to the Privacy Notice is made.
Contact information
If you have any questions about this Privacy Notice, including how we process personal data, or would like to submit a request to exercise your rights, please contact us at:
Advokatfirmaet InterJuris DA
Postboks 191
4662 Kristiansand, Norway
Phone: +47 38 02 85 00
Email: post@InterJuris.no