Privacy Notice

Here at Advokatfirmaet Thommessen AS we are committed to uphold the highest data protection standards, and we process personal data in a secure and lawful manner.

This page describes how we process your personal data, and your rights related to our processing of your personal data. Personal data is information or assessments that relates to an identifiable individuals (i.e. data subjects).

At Thommessen, we process personal data when:

• providing legal services
• initiating marketing activities
• providing digital services

As data controller, we process the personal data of individuals who are involved in cases we are assisting on (for example clients, as well as contact persons of clients and other parties), contact persons of suppliers and collaboration partners, event and webinar attendees, newsletter subscribers and users of our services.

You may at any time send us an e-mail if you have any questions regarding our processing of your personal data, or would like to exercise your rights as a data subject.

If we process your personal data, you are a data subject. As a data subject, you will have the following rights:

• Access. You have the right to know which of your personal data we process.
• Rectification. You may ask us to rectify any error in your personal data.
• Erasure (the right to be forgotten). You may ask us to erase your personal data.
• Restriction. You may ask us to restrict the processing of your personal data.
• Object. You may object to the processing of your personal data.
• Data portability. You may ask us to provide you or others with your personal data in a structured, commonly used and machine-readable format.

Please note that the above rights may be subject to exceptions and limitations. We cannot, for example, give you access to your personal data if it would violate our duty of confidentiality.

You may send us an e-mail if you wish to exercise any of the above rights. We may ask you to provide proof of identity or to use a different channel of communication in order for us to be certain that you are who you purport to be.

Thommessen is responsible for processing and storing your personal data in a secure manner. We therefore take technical and organisational measures suited for ensuring that the data processing is in compliance with statutory requirements.

Security considerations prevent us from disclosing in any detail what technical security measures we have introduced. We have, however, implemented technical and organisational measures to ensure security, integrity and availability in the processing of the personal data.

Everyone who works at Thommessen is subject to a duty of confidentiality with regard to your personal data where it is necessary.

If you have additional questions on how we process personal data, or are dissatisfied with our processing, you are welcome to contact us by e-mail.

You may also lodge a complaint with the Norwegian Data Protection Authority, which is responsible for supervising compliance with data protection regulations in Norway. You may also complain to the relevant data protection authorities in any EU/EEA member state in which you work, or in which you believe that the non-compliance has taken place.

Further details on your rights are available in the Data Protection Act and the General Data Protection Regulation (GDPR).

We update the privacy notice whenever needed, for example when new legislation is introduced or when we make changes to our processing of personal data.

If we make substantial amendments, we will notify you about the amendments by e-email, if your e-mail address has been registered by us.

The most recently updated version of the privacy notice will always be found on this website.

The data controller for the processing of your personal data is Advokatfirmaet Thommessen AS. Our registered address is:

Ruseløkkveien 38
0251 Oslo
P.O. Box 1484 Vika
NO-0116 Oslo

Enterprise registration number: 957 423 248

When we provide legal services, we will process the personal data of individuals who are involved, and referred to, in cases we are assisting on (for example clients, as well as contact persons of clients and other parties). We process the following personal data:

• Contact details. We process contact details such as the name, e-mail address, mailing address, telephone number and job title of the contact persons of clients (for example businesses or government bodies). This also applies if the client is a natural person.
• Independence checks (conflict of interest). Before we agree to represent a client, we use the contact details of clients and potential clients to carry out an independence check (i.e. to clarify any potential conflict of interest). We also collect personal data concerning the purpose and intended nature of the client relationship.
• Client due diligence. If the matter falls within the scope of the Anti-Money Laundering Act, the client will be subjected to due diligence measures. We also collect documentation verifying the identity of the client (for example valid ID documents), as well as the identity of the beneficial owners of the client.
  
  If the client is a legal entity which is not registered in a public register, we will collect personal data on the general manager, business manager, proprietor or corresponding contact person. We monitor the registered data and obtained documentation for the duration of the client relationship.
  
  If the client is a natural person, we collect the full name, national identification number and address of the client. If the person has no Norwegian national identification number, we will collect the date of birth, place of birth, gender and citizenship. We use national identification number for purposes related to secure identification.
• Case details. When we are assisting on cases, we collect relevant documentation and process personal data on individuals’ connection to the matter. These may be the personal data of private clients, contact persons, employees, representatives and other individuals who are involved in the case.
• Invoicing details. We retain data on when and what we have assisted clients on, and how the client receives our invoices (for example by e-mail, ordinary post, etc.), whether and when the invoices/outstanding amounts have been paid, and whether any outstanding amounts have been referred for debt collection.
• Evaluation. We may use client contact details to perform an evaluation after a matter has been closed.

When we provide legal services, we process personal data for purposes relating to client relationship administration, case administration, invoicing and case document storage. We process contact details and invoice details, and conduct client due diligence to comply with Thommessen’s legal obligations.

When we provide legal services, we process personal data on the following legal basis:

• Agreement. If you are a private client, we process your contact details, invoicing details and, if applicable, case details because it is necessary to perform an agreement with you.
• Legal obligation. We also process invoicing details and conduct client due diligence (as outlined in further detail above) to comply with our statutory obligations under the bookkeeping legislation, the anti-money laundering legislation and the Legal Practitioner Regulations. We will not be able to establish a client relationship with you or provide legal services to you without processing such information.
• Legitimate interests. We process the contact details of contact persons of clients that are legal entities, because it is necessary for purposes relating to Thommessen’s legitimate interest. Said legitimate interest is the establishment and administration of the client relationship we have with the client for whom you serve as a contact person.
  
  We process case details in relation to other persons than the client because it is necessary for purposes relating to Thommessen’s legitimate interest, for example because it is necessary to enable us to provide legal services to the client and to enable the client to establish, pursue or defend a legal claim. It is our assessment that such interest is not incompatible with consideration for your privacy.
  
  If such case details include special category personal data, we process such data because it is necessary to enable the client to establish, pursue or defend a legal claim.

Lawyers are as a general rule subject to a statutory duty of confidentiality with regard to all data associated with their provision of legal services. Everyone who works at Thommessen is subject to a duty of confidentiality.

It may nonetheless be necessary for us to disclose personal data to the following persons:

• Counterparties, courts and supervisory bodies. We disclose contact details and case details to involved parties in connection with legal disputes and other legal matters if necessary for the case. We do not disclose personal data if such disclosure would violate our duty of confidentiality.
• Our suppliers (IT services, administrative services, etc.). We use suppliers of IT systems and other administrative services that process personal data on our behalf. We always enter into data processing agreements with suppliers to ensure that we are in compliance with statutory requirements when we disclose personal data, for example that the data are stored in a secure manner, and that these are not used for any other purpose.
• Other persons. We do not disclose personal data to any other person than those mentioned above, unless we are under a statutory obligation to disclose such data.

Please note that a client may be the data controller for any processing of data carried out by the client at its own initiative.

When it is no longer necessary to process personal data for the purpose for which these were collected, we will erase or anonymise such personal data.

We erase or anonymise personal data in accordance with the following procedures:

• We retain invoicing details and personal data in relation to client due diligence for such period as is required under statutory requirements laid down in the bookkeeping legislation and the anti-money laundering legislation.
• We normally retain all files and documents in relation to a case, for example case details, archives, files, documentation and contact details, for ten years. We retain some documents, such as documents deposited for safekeeping; typically wills and similar documentation, for a longer period of time.

We process the following personal data for marketing activities, such as events and newsletters.

• Contact details. Name, e-mail address, mailing address, telephone number, job title and place of work. For students we also collect data on the place and year of study. We also use contact details to distribute anonymous evaluations after our events.
• Allergies and food preferences. If the event is going to be catered, we enquire about any allergies or food preferences.
• Feedback provided in surveys. If you choose to participate in any of our surveys or other forms of assessments initiated by us, we will collect the feedback you provide, as well as any contact details the relevant survey requires you to register (e.g. what industry you work in, your job position and which Thommessen office you work with or otherwise are affiliated with). Participation in surveys is always voluntary.
• Preferences and user behaviour. We will process information about which subject areas you are interested in when deciding which newsletters and invitations to send you. We have either received this information directly from you (in connection with your registration to receive newsletters and invitations to events) or derived from your participation in events and use of our services. When we distribute newsletters, we collect data on user behaviour, such as whether the newsletter has been opened. In connection with our webinars, we collect data on when you join/leave the webinar, on whether you have posed questions or answered questionnaires during the event, and on whether you have downloaded the presentation.

In connection with marketing activities, we process personal data for the purpose of following up on clients (and others who have actively asked to receive information from us) with legal news, event invitations and information of our services.

When we hold events, the purpose of collecting personal data is to provide information to attendees, to manage and facilitate the event, as well as to prepare attendee lists.

We also use personal data for the purpose of tailoring and measuring the effect of our marketing activities.

We process personal data for marketing purposes on the following legal bases:

• Consent. We distribute newsletters if you have consented to it, or if there is an existing client relationship. If we take photos or make videos at events, we comply with Section 104 of the Copyright Act regarding the right to one’s own image, prior to publication. This means that we, for example will obtain your consent to publish a photo/video where you, and not the event, is focus of the photo/video. You may at any time withdraw your consent by sending us an e-mail or by clicking on a link at the bottom of any newsletter.
• Legitimate interests. As a law firm, we have a legitimate interest in following up on our clients with legal news items and by providing relevant information on our services. If we distribute newsletters based on an existing client relationship, we do so on the basis that we have a legitimate interest in doing so.

Everyone who works at Thommessen is subject to a duty of confidentiality. We may nonetheless disclose certain personal data to, for example:

• Our suppliers (IT services, administrative services, etc.). We use suppliers of IT systems and other administrative services that process personal data on our behalf. We always conclude data processing agreements with suppliers to ensure that we are in compliance with statutory requirements when we disclose personal data, for example that the data is stored in a secure manner, and that it is not used for any other purpose.
• Co-hosting events. When co-hosting an event with other companies, we will share the name, job title and company name of the persons we have invited to attend the event, with our partners.
• Lists of participants. We often share lists of participants with the participants that have attended our events. These lists include the name, job title and company name of all participants.

We do not disclose personal data to any other person than those mentioned above, unless we are under a statutory obligation to disclose such data.

We never retain personal data longer than necessary for the purposes for which such data were collected. When it is no longer necessary to process the personal data, we will erase it.

We provide various digital services that our clients may make use of. If for these services we process personal data in a different way than described in this privacy statement, you can read more about the processing of personal data in the privacy statement for the specific services.

If you use our service ThommessenTracker, we track your use to tailor and improve the service, to prepare statistics and to prevent misuse of the service. We base our processing of personal data on our legitimate interest in improving the service. It is our assessment that this interest outweighs privacy considerations in relation to the user.

When you register as a user in our Sustainability Database, we receive the information you provide when registering. We store personal information as long as the service is active. We may use the information to contact you directly with inquiries related to the database and its content.

We use cookies on our website. A cookie is a small text file which stores information on your device (e.g. PC, tablet, mobile phone). You can read more about the types of cookies we use, the purpose and legal basis with our use of cookies, as well as which cookie suppliers we are relying on, in our cookie banner. Our cookie banner will pop up if you press the green cookie symbol at the lower left side of our webpage.

We collect the following categories of personal data from applicants/candidates in connection with recruitment:

• Contact details. Full name, e-mail address, mailing address, telephone number, job title, employer or, alternatively, place of study. For students, we will collect data on the place and year of study.
• Application data. Candidate data included in the application wording, CV, transcript, references and similar documents.
• Personality tests and aptitude tests. Personality test and aptitude test scores, when such tests are undertaken as part of the recruitment process.
• Evaluations. For certain former trainees, we retain evaluations and feedback collected during the traineeship.

When we recruit, we process personal data to recruit new suitable employees for the company. The recruitment process includes assessment of each candidate’s suitability for relevant positions.

In our recruitment processes, we process personal data on the following legal bases:

• Consent. When we retain evaluations and feedback relating to former trainees, we do so on the basis of the trainee’s consent. Data from personality tests and aptitude tests are processed on the basis of the candidate’s consent. You may withdraw your consent at any time.
• Legitimate interests. We process personal data in connection with our recruitment process on the basis of our legitimate interest in evaluating and recruiting suitable people to Thommessen. Participation in Thommessen’s recruitment processes is voluntary, and it is our assessment that our legitimate interests in relation to the recruitment process outweigh individual data protection considerations, in view of the reasonable expectations of the data subjects.

Everyone who works at Thommessen is subject to a duty of confidentiality. Certain personal data may nonetheless be disclosed to the following persons:

• Our suppliers (IT services, administrative services, etc.). We use suppliers of IT systems and other administrative services that process personal data on our behalf. We always enter into data processing agreements with suppliers to ensure that we are in compliance with statutory requirements when we disclose personal data, for example that the data is stored in a secure manner, and that it is not used for any other purpose.
• Other persons. We do not disclose personal data to any other person than those mentioned above, unless we are under a statutory obligation to disclose such data.

Please note that other entities (for example event managers) may be the data controller for any processing of data carried out by such entities at their own initiative.

When it is no longer necessary to process personal data for the purpose for which these were collected, we will erase or anonymise such personal data. We erase or anonymise personal data in accordance with the following procedures:

• Personal data collected in connection with recruitment are normally retained until the recruitment process has been completed. For candidates who are recruited by the end of the recruitment process, any data of relevance to their employment will be retained and processed further in connection with their employment.
• When former trainees consent to the retention of evaluations and feedback, such data will be retained for as long as is justified by the consent.