Privacy Policy

Last modified: 15.08.2023
 
This privacy policy applies to Sterk Law Firm AS ("we" or "us"). We are responsible for processing the personal data described in this privacy policy. You can find our contact information below. 

1. Whose personal data we process

This privacy policy is aimed at our processing of personal data about the following individuals:

·       Private customers

·       Clients in criminal cases

·       Contact persons at business clients

·       Contact persons at our suppliers and partners

·       Individuals involved in cases we assist with

·       Other persons mentioned in case documents we access

·       Visitors to our website

2. Purpose, types of personal data, and legal basis

Below, we provide an overview of the purposes for which we process personal data, the types of personal data we process, and the legal basis for the processing.

Establishment of client relationships: When contacted by a client with a request for us to take on a task, we conduct an internal independence check (conflict resolution) before potentially agreeing to the task. The independence check serves a legitimate purpose and is based on GDPR Article 6(1)(f) (balance of interests). Conflict checks for private customers generally include full name, the nature of the case, and, if relevant, creditworthiness. Generally, conflict checks on behalf of business clients will not involve processing personal data.

In connection with establishing a client relationship, we will perform customer checks in accordance with the rules of the Money Laundering Act. The customer check is necessary to fulfill our legal obligations under the Money Laundering Act, cf. GDPR Article 6(1)(c).

If we can take on the task, contact information is registered. The registration of contact information is necessary for private customers to be able to enter into an agreement with them, cf. GDPR Article 6(1)(b). For business customers, the registration of contact information is based on a balance of interests, cf. GDPR Article 6(1)(f).

Case management: Certain legal tasks involve us accessing personal data about parties or other individuals affected by a case. Such data may appear in documents that the client submits or other correspondence in the case. The processing of personal data in connection with assignments for business clients is anchored in GDPR Article 6(1)(f) (balance of interests). In some cases, we also gain access to sensitive personal data, such as health information or criminal convictions and offenses. In such cases, the processing of the data is grounded in GDPR Article 9(2)(f) (necessary for establishing, exercising, or defending a legal claim), cf. the Personal Data Act (new 2018) § 11.

Knowledge management: The basis for processing is our interest in utilizing developed knowledge in further advisory services, cf. GDPR Article 6(1)(f) (balance of interests).

Client administration: Separate case files are created for assignments performed on behalf of the client. Time and costs incurred on a case are recorded in our case management system and accounting system. For business clients, what we do in connection with client administration is based on GDPR Article 6(1)(f) (balance of interests), while for private clients, it is considered a necessary part of fulfilling the agreement with them, cf. GDPR Article 6(1)(b).

Storage and retention of case documents: We retain case documents for 10 years after the assignment is completed. Storage for the specified period is deemed necessary for both the client and ourselves, as questions or disputes may arise later where the information stored for a case may become relevant again. The legal basis for processing personal data is GDPR Article 6(1)(f) (balance of interests, cf. the legitimate interest stated above) and GDPR Article 9(2)(f) (establish, exercise or defend legal claims), cf. the Personal Data Act (new 2018) § 11.

Billing: Contact information received from business clients is used to mark the invoice sent to the business if the client requests this. For private clients, the person’s private postal address is used for invoicing. The processing basis is GDPR Article 6(1)(f) (balance of interests) for business clients and GDPR Article 6(1)(b) (necessary to fulfill the agreement with the data subject) for private clients.

IT operations and security: Personal data stored in our IT systems may be accessible to us or our suppliers in connection with system updates, implementation or follow-up of security measures, troubleshooting, or other maintenance. The processing basis is GDPR Article 6(1)(f) (balance of interests, cf. our legitimate interest related to the mentioned activities) and our legal obligation to have satisfactory information security, cf. GDPR Articles 32 and 6(1)(c).

Marketing: We send newsletters to email addresses registered to clients whom we continuously provide legal services to and others who have requested our newsletter. Recipients of the newsletter can easily opt-out by using a link included in each communication. The processing basis is GDPR Article 6(1)(f) (balance of interests) where we have received the email address in connection with a legal assignment. If there is an existing client relationship, marketing will be conducted in accordance with the Marketing Act § 15(3). In other contexts, marketing is based on the consent of the individual, cf. the Marketing Act § 15(1) and GDPR Article 6(1)(a).

3. With whom we share personal data

Our IT service providers may have access to personal data if it is stored with the provider or otherwise accessible to the provider under the contract with us. The providers act according to a data processor agreement and under our instructions. The provider may only use the personal data for the purposes we have determined and described in this privacy policy. 

We use providers located in countries outside the EU and EEA. For the transfer of personal data to these providers, we use the EU's standard contractual clauses for transfers (read more here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en)and/or the EU-US Privacy Shield framework (read more here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en).] 

Attorneys are subject to a confidentiality obligation punishable by law, as stated in the Penal Code § 111. All information entrusted to us in connection with an assignment is handled confidentially.

We do not disclose personal data in other cases or ways than those described in this privacy policy unless the client explicitly requests or consents to this, or the disclosure is legally required.

We store case documents for 10 years, before sending them to archives for an additional 20 years.

Accounting legislation requires us to store specific accounting documents for a specified period. When a particular purpose dictates storage for a given period, we ensure that personal data is used solely for the relevant purpose during this period.

4. Storage of personal data

5. Your rights

You have rights concerning personal data that pertains to you. What rights you have depends on the circumstances.

Withdraw consent: If you have given consent to receive newsletters from us, you can withdraw this consent at any time. We have made it easy for you to opt-out of such communications by including a link to an unsubscribe form in each communication. If you have consented to other processing of personal data, you can also withdraw your consent at any time with regard to this processing by contacting us.

Request access: You have the right to access which personal data we have registered about you, as long as confidentiality does not prevent this. To ensure that personal data is disclosed to the right person, we may require requests for access to be made in writing or that identity is verified in other ways.

Request correction or deletion: You can ask us to correct incorrect information we have about you or request us to delete personal data. We will comply with a request to delete personal data as much as possible, but we may be unable to do so if there are compelling reasons not to delete, such as needing to retain information for documentation purposes. 

Data portability: In some cases, you may be able to obtain personal data you have provided to us to have it transferred in a machine-readable format to another law firm. If technically feasible, it may in some cases be possible to have it transferred directly to the other firm.

Complaint to the supervisory authority: If you disagree with how we process your personal data, you can lodge a complaint with the Data Protection Authority.

6. Security

We have established procedures for handling personal data securely. The measures are both of a technical and organizational nature. We regularly assess the security of all key systems used for handling personal data, and agreements are in place requiring suppliers of such systems to ensure satisfactory information security.

Access to personal data (and client/case information) is limited to personnel who need access to perform their duties.

We have adopted internal IT guidelines, and we conduct regular training of employees regarding security and the use of IT systems.

7. Changes to the privacy policy

We may make minor changes to this privacy policy. You will always find the latest version on our website. In the event of significant changes, we will notify you of this.

Access to personal data (and client/case information) is limited to personnel who need access to perform their duties.

We have adopted internal IT guidelines, and we conduct regular training of employees regarding security and the use of IT systems.

Contact Us

If you have questions or comments about our privacy policy or wish to exercise your rights, you can contact us:

Sterk Law Firm
P.O. Box 203 Center 0103 Oslo

post@advokats.no

+ 22 46 46 46