Privacy training

1 Introduction

The law firm Erling Grimstad AS is subject to the Personal Information Act which shall protect the rights, freedoms and privacy interests of natural persons. Personal data means any information or assessment that can be linked - either directly or indirectly - to a natural person.

In the cases where we process personal data in accordance with the administration of justice laws (the Courts Act, the Criminal Procedure Act, the Disputes Act, the Enforcement Act, etc.) the rules in the Personal Data Act do not apply in principle. In line with the Danish Bar Association's recommendations, we still handle the personal data in line with the principles and provisions of the Personal Data Act in these cases as well, as far as possible.

We are the "data controller" for personal data that is processed about you (the "data subject") as a job applicant, client or party to a case/assignment that we have undertaken. In this document, we explain what personal data we process about registered persons, how we process such data, why it is necessary for us to process the personal data, and what is the basis for the processing.

The privacy policy also explains the sources from which the personal data originates, how long we process the personal data and whether we use suppliers ("data processors") in connection with the processing.

2. Superior regarding the processing of personal data

In the cases where we process personal data in accordance with the Administration of Justice Act, the rules in the Personal Data Act do not apply in principle. This mainly includes procedural tasks that we undertake on behalf of our clients, including our preparations for any legal proceedings before the courts. Personal data that is processed in that connection is handled in line with the rules in the Courts Act, the Criminal Procedure Act, the Disputes Act, the Enforcement Act, etc. As far as possible - in line with the Danish Bar Association's recommendations - we will, to the greatest extent possible, also in these cases process personal data in accordance with the Personal Information Act. This means, among other things, that the personal data will be processed in line with the principles set out below in this chapter.

We also protect the privacy of those who apply for a job with us, our clients and the processing of personal data for other registered persons. We undertake to process all personal data in a legal, fair and transparent manner. We will only collect personal data for specific, express and legitimate purposes, and we will not further process the personal data in a way that is incompatible with these purposes. Therefore, we only process personal data about data subjects if it is necessary to fulfill an agreement, if we are legally required to process such data, if the data subject has consented to the processing, if we have another legitimate interest or if the processing is necessary in connection with a process assignment and processing takes place in line with the administration of justice laws.

All personal information about registered persons must be adequate, relevant and limited to what is necessary to achieve the purpose of the processing activity. If we discover information that is incorrect, this must be updated or deleted. We shall not store or process personal data for longer than is necessary to achieve the purpose of the processing, unless otherwise provided by law.

We assure you that we take information security seriously, and that we will protect your personal data against unauthorized access (confidentiality) and changes (integrity). Only people with us who have a business need have access to personal data about you as a registered user. We are responsible for ensuring that the systems we use are robust and reliable, so that we have access to the information we need (availability).

3. Use of third parties (data processors) and disclosure of personal data

We use various system and service providers to deliver legal services to our clients and for internal use in our business. This also includes suppliers of operating systems where personal data is received, stored (stored), archived or otherwise processed. In such cases, the supplier acts as data processor on behalf of the business, and we have entered into a written agreement (data processor agreement) which regulates how the supplier shall process the personal data. All data processors have undertaken to only process personal data in accordance with instructions from us, as well as establish satisfactory information security to protect the personal data.

Lawyers are subject to a strict duty of confidentiality and we do not disclose personal data or other information to anyone other than our client, i.e. the person or company on whose behalf we carry out the assignment. Exceptions to the obligation of confidentiality may be that we are required by law to hand over personal data and other information, or if our client has explicitly instructed us to hand over information to someone else.

4. Geographical storage and processing

We receive, keep (store), archive and process personal data in our internal systems. Personal data and other information in these systems are stored on data servers located within the EEA area. We do not use internal systems that store personal data outside the EEA area.

If we carry out assignments for clients outside the EEA area, personal data and other information may still be transferred to countries outside the EEA area ("third countries"). In that case, this happens either to countries that the EU Commission has decided have an adequate level of protection or by using the EU's standard contract (Standard Contractual Clauses). Through these transfer mechanisms, it is ensured that natural persons' rights, freedoms and privacy interests are satisfactorily safeguarded.

5. Processing activities

5.1. Employment and recruitment

If you have applied for a job with us (including a position as a student/trainee), we need to process personal data in order to assess your application. This includes all information and documents that you have sent us, typically name, job application, CV, contact details (phone number, email address, address), date of birth, photograph, work experience, education, grades, diplomas, courses, certificates, positions, personal interests /characteristics and contact details for your references. We collect this information directly from you. In addition, we prepare minutes from the interviews we have had with you and the conversations with your references.

The purpose of this processing activity is to assess job applicants against the advertised position, and our basis for processing the information is the intention to enter into a possible employment contract with you, cf. the data protection regulation article 6 no. 1 letter b. The provision allows us to process personal data on request from the registered person (job seeker) in advance of a possible conclusion of an agreement.

You do not need to provide special categories of personal data (sensitive personal data) in your application to us or at a job interview with us. If you nevertheless choose to do this, for example information about disabilities, we base our processing of such personal data on your explicit consent, cf. the data protection regulation article 9 no. 2 letter a.

We receive applications for jobs with us by e-mail or via FINN. Applications are transferred and stored in a dedicated area in the company's computer network and will be included as part of the processing of your personal data with us, if you are employed. Job applications for people who are not employed are stored until the end of the probationary period of the person who is employed (normally six months after employment). General job applications (ie applications that do not apply to a specific advertised position) are normally stored for one year unless otherwise agreed with the applicant.

5.2. Customer information

Before establishing a customer relationship, contact information is obtained for the private client or for contact persons at clients who represent a business. The purpose of the processing of the personal data is the implementation of customer measures in accordance with the Money Laundering Act or another form of customer control with a view to entering into an assignment agreement. We process the name, e-mail, telephone number, possibly job title of contact persons at the business with whom the agreement is to be concluded, postal address, copy of identification and information that is necessary for invoicing work carried out.

The legal basis for processing private clients is GDPR Article 6 letter b (necessary to enter into an agreement). For business customers, the registration of contact information is based on a balancing of interests, cf. GDPR article 6 no. 1 letter f. Completed customer measures are stored in a separate folder with us for each client.

Time and costs incurred on a case are registered in our accounting system. For business customers, the processing of personal data in connection with our administration is authorized in GDPR article 6 no. 1 letter f (balancing of interests), while for private customers it is considered a necessary part of fulfilling the agreement with the person concerned, cf. GDPR article 6 no. 1 letter b.

Contact details, account details and any credit checks of private clients, and contact details of employees of businesses as the client's representative, are used to send invoices from us. The processing basis is GDPR article 6 no. 1 letter b (necessary to fulfill the agreement with the data subject) for private customers, and GDPR article 6 no. 1 letter f (balancing of interests) for business customers.

5.3. Case management and storage of case documents

Certain legal assignments, investigation assignments, investigation cases or notification cases mean that we gain access to personal data about parties or other individuals affected by such a case. Such information can come from documents the client sends, interviews or other correspondence in the case. The processing (handling and storage) of personal data in connection with assignments for business customers is anchored in GDPR article 6 no. 1 letter f (balancing of interests).

In some cases, we also get access to personal data in special categories, for example health data, criminal convictions or the like. In such cases, the processing of the information is based on GDPR article 9 no. 2 letter f (necessary to determine, enforce or defend a legal claim), cf. Personal Data Act § 11, or GDPR article 9 no. 2 letter b (necessary for processing in the area of employment, social security and social law), cf. Personal Data Act §§ 6 and 11.

Case documentation is transferred to our archive after the case has been closed. A case is closed when the assignment has been concluded by agreement with the client. The case is deleted from the archive in accordance with statutory requirements such as archive rules that apply to legal practice (as a general rule archive obligation for 10 years). The storage period is set out of consideration for both our client and the law firm's need for archiving information in the case, e.g. for the law firm to be able to defend legal claims in the event of any dispute relating to the execution of assignments for the client. Case documents we archive may have significance for the client afterwards, either when carrying out other tasks for the client or for other purposes that the client decides.

Minutes from interviews/conversations in investigation assignments, investigations or whistle-blowing cases and other case documents obtained in such assignments are archived in a file in our archive and deleted in accordance with the statutory requirements as described above.

5.4. Seminars and courses

It is possible to register for our seminars, and to subscribe to seminar invitations. When registering for seminars, we process the name, e-mail and place of work of participants. The information is used to obtain an overview of the number of participants and to sharpen the content of the seminars.

The legal basis for processing personal data in connection with registration for seminars is GDPR article 6 no. 1 letter f (balancing of interests). The legal basis for sending out seminar invitations to former seminar participants is GDPR article 6 no. 1 letter a (consent). If you have agreed to receive invitations to seminars in the future, you can withdraw your consent at any time. You will then be deleted from our e-mail list.

5.5. Websites

Online statistics: The law firm collects de-identified information about visitors to governance.no. The purpose of this is to prepare statistics which we use to improve and further develop the information offer and the content on our websites. Examples of what the statistics provide answers to are how many people visit various pages, how long the visit lasts, which websites the users come from and which countries visitors come from.

The information is processed in de-identified and aggregated form. De-identified means that we cannot trace the information we collect back to the individual user.

We use the analysis tool Koko Analytics.

Cookies: Our website uses cookies, as almost all websites do. See separate cookie banner for information about cookies on our website.

Contact form: On our website, you can voluntarily contact us via a contact form by entering your name and email. The personal information we receive from the contact form is not used for purposes other than answering your inquiry. The basis for the processing is GDPR article 6 no. 1 letter a (consent). After we have answered your inquiry, your personal data will be deleted, unless otherwise agreed separately.

6. Your rights

Introduction

When we process personal data about you, you have rights according to the privacy regulations. Below we explain these rights in more detail and when they apply. If you wish to enforce your rights, please contact the persons mentioned below (see contact information).

Right to information

The right to information means that you can contact us and ask for detailed information about how we process personal data about you. However, there are certain exceptions to the right to information.

Right to access

The right to access means that you are entitled to receive a copy of the information that we have stored about you. However, there are certain exceptions to the right to information.

Right to rectification

The right to rectification means that you have the right to have incorrect or incomplete personal information about yourself corrected or updated.

Right to delete

The right to erasure means that you have the right to have information about yourself deleted if the personal information is no longer necessary for the purpose for which it was collected, you withdraw your consent or if you object to the legality of the processing. There is, however, an exception to this right if we are legally obliged to keep the information for a longer period.

Right to restriction of processing

The right to restriction of processing means that you are entitled to have the processing restricted if you dispute the correctness of the personal data, the processing is illegal or the personal data is no longer necessary for the purpose for which it was collected.

Right to object to the processing

The right to object to processing means that you can object to processing based on our legitimate interests, if there are special reasons. However, this does not apply if we can show a compelling justified reason.

The right to withdraw consent

If you have given us consent for us to use information about you, you can withdraw your consent at any time. The fact that you withdraw your consent will not affect the legality of the processing of personal data that occurred before you withdrew your consent.

Complaint to the Norwegian Data Protection Authority

If you believe that we are breaking the privacy regulations or are not satisfied with our handling of your inquiry, you can complain to the Norwegian Data Protection Authority. We encourage you to contact us first, so that we can provide answers and clarify any misunderstandings.

7. Contact

It is the general manager of the business who has the ultimate responsibility for ensuring that the business complies with the privacy regulations.

If you have questions or comments about how we process personal data about employees, you can contact one of the above-mentioned persons or send an e-mail to hello@governance.no.

8. Changes to this privacy policy

This privacy policy can be updated continuously without us posting a specific notice for this. On the other hand, if the changes are material and/or affect your rights, we will post a notice that the privacy policy has been updated. The privacy policy applicable at all times is published on our website.

Cookie	Duration	Description
cookielawinfo checkbox analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo checkbox functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-Necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies are used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-fastrs	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo checkbox performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not the user has consented to the use of cookies. It does not store any personal data.