This Privacy Notice is prepared by Advokatfirmaet Thommessen AS ("Thommessen") to ensure that you receive the information which we are required to give you, and which is necessary to enable you to exercise your rights under applicable personal data legislation.
The Privacy Notice explains what qualifies as personal data, how Thommessen processes your personal data and what is the purpose of, and basis for, such processing. In addition, we describe which rights you have under applicable personal data legislation and how you can exercise these rights.
What are personal data?
Personal data are details or assessments that can be linked to a specific individual or small group of individuals. Name, telephone number, home address and e-mail address are examples of what may be considered personal data.
Whose personal data we process
This Privacy Notice concerns our processing of the personal data of the following individuals:
- Private clients (any client who is a natural person)
- Client contact persons
- Persons involved in cases we advise on
- Other persons referred to in case documents we get access to
- Contact persons of our suppliers and collaboration partners
- Persons attending Thommessen events or joining our newsletter mailing list
The role of Thommessen as controller
Thommessen is the controller for the processing of your personal data.
This also applies if we have received your personal data from a client in connection with our provision of legal services to such client. This is because we will in our provision of legal services not be processing personal data on behalf of our client, but on our own behalf, as part of our performance of our duties as legal advisors. Please note, however, that the client in question will be the controller for any processing carried out by the client at its own initiative.
As controller, Thommessen is responsible for compliance with the provisions governing our processing of your personal data under applicable personal data legislation.
We will only process personal data as processor as a matter of exception. We will in such cases conclude a data processing agreement with the controller in accordance with GDPR Article 28.
Which of your personal data do we collect and process?
legal services, etc.
Thommessen will collect and process the following personal data in connection with our provision of legal services, as well as the establishment and administration of the client relationship:
- Contact details: If you are the client contact person or a private client (a client who is a natural person), we will collect and process your full name, e-mail address, mailing address, telephone number and job title.
- Invoicing details: We retain data on what services we have provided you with, the date and time of such services and how you receive our invoices (for example, by e-mail, ordinary mail, etc.), whether and when the invoices/outstanding amounts have been paid, and whether any outstanding amounts have been referred for debt collection.
- Client due diligence: If the client relationship and/or the legal services we provide fall within the scope of the Anti-Money Laundering Act, the client will be subjected to due diligence measures. These will include the collection of documentation verifying the identity of the client (such as valid ID documents), as well as the identity of the beneficial owners of the client. We will also collect personal data concerning the purpose and intended nature of the client relationship. If you are a private client, we will collect your full name, personal identity number or D-number and home address. If you have no Norwegian personal identity number or D-number, we will collect your date of birth, place of birth, gender and citizenship. If the client is a legal entity which is not registered in a public register, we will collect personal data on the general manager, business manager, proprietor or corresponding contact person. Following establishment of the client relationship, the registered data and obtained documentation will be monitored on an ongoing basis for the duration of the client relationship.
- Case details: We will in connection with our provision of legal services collect documentation and process personal data on individuals’ involvement or connection with the matter in hand that are of relevance to such legal services. These may be the personal data of private clients, client/opponent contact persons, employees and representatives, as well as other third parties with an involvement in the matter.
MARKeting and events
Thommessen will collect and process the following personal data in connection with our marketing activities, as well as evaluations of services we have provided:
- Contact details: Full name, e-mail address, mailing address, telephone number and job title, as well as who you work for, if applicable. If you are a student, we will also collect details on your place and year of study.
- Events: Which Thommessen events you have attended. We will also retain details of which of your events have been attended by Thommessen, and which persons held or hosted such events. If you receive the Thommessen newsletters, we will also retain information on whether the newsletter has been received and opened.
- Evaluations: Evaluations of Thommessen events, as well as other services provided by Thommessen.
Visits to our website
When you visit the Thommessen website, some cookies will be stored on your unit to generate website traffic statistics. In addition, we use advertising pixels to ensure appropriately tailored marketing.
The purpose of our personal data processing
We process the personal data listed in Section 5.1 of the Privacy Notice because it is necessary for the establishment and administration of the client relationship, for case administration purposes, for invoicing purposes and for the retention of case documents. We also process contact details, invoicing details and perform client due diligence to comply with Thommessen’s statutory obligations. Thommessen will also use the contact details of clients and potential clients to carry out independence checks (i.e. to clarify whether there are any conflicts of interest).
We process the personal data listed in Section 5.2 of the Privacy Notice in order to send you newsletters, event information and other marketing materials, as well as to deliver, tailor and measure the effect of marketing. We also process the personal data listed in Section 5.2 of the Privacy Notice in order to perform client assessments and evaluations, as well as to conduct business analyses of Thommessen’s operations and legal service delivery.
If you have received legal services or newsletters from us in recent years (for example because you are, or represent, an existing client), or have attended a Thommessen event, we will also use your contact details to send you newsletters, as well as information on, and invitations for, Thommessen events and seminars. Newsletters and event invitations will be sent by e-mail. Each e-mail will include a link you may use to unsubscribe from such newsletters, etc. You may also unsubscribe from said newsletters by sending an e-mail to firstname.lastname@example.org.
You may also register for seminars on www.thommessen.no, as well as through the links on the Thommessen Facebook and LinkedIn pages. When you subscribe to the Thommessen newsletters, etc., via our website, you will be asked to consent to receiving information from us, as well as to us processing your personal data to send you newsletters and seminar invitations.
What is the basis for Thommessen's personal data processing?
If you are a private client (a client who is a natural person), we process your contact details, invoicing details and, if applicable, case details (as outlined in further detail above), because it is necessary to perform our obligations under an agreement with you. If you are the client contact person (for example because the client is a legal entity), we will process your contact details because it is necessary for purposes relating to Thommessen’s legitimate interest. Said legitimate interest is the establishment and administration of the client relationship we have with the client for whom you serve as contact person.
We process case details (as outlined in further detail above) in relation to other persons than the client because it is necessary for purposes relating to Thommessen’s legitimate interest. Said legitimate interest is that such processing is necessary to enable us to provide legal services to the client and to enable the client to establish, pursue or defend a legal claim. It is our assessment that such interest is not incompatible with consideration for your privacy. If such case details include special category personal data, we will process such data because it is necessary to enable the client to establish, pursue or defend a legal claim.
We also process invoicing details and conduct client due diligence (as outlined in further detail above) to comply with our statutory obligations under the bookkeeping legislation and the anti-money laundering legislation, as well as to comply with our obligations under the Legal Practitioner Regulations. We will not be able to establish a client relationship with you or provide legal services to you without processing such information.
We process the personal data listed in Section 5.2 of the Privacy Notice for purposes relating to Thommessen’s legitimate interests. These legitimate interests are the marketing of Thommessen events and seminars, as well as marketing of Thommessen’s services. We also process such data to determine your relation with Thommessen for marketing purposes, as well as to improve our services. It is our assessment that these interests outweigh consideration for your privacy.
Disclosure of personal data and the use of processors
We use various service providers to provide us with IT and other administrative services. We have concluded data processing agreements with these service providers that require the companies in question to ensure that any personal data processed by such service providers on our behalf are stored in a secure manner, that these are not disclosed to unauthorised persons and that these are not used for any other purpose.
As far as concern contact details and case details (as outlined in further detail above), these can also be disclosed to opponents, courts and supervisory bodies in connection with legal disputes and other legal matters. Please note, however, that we will not disclose your personal data if such disclosure would violate our statutory duty of confidentiality.
We will not disclose your personal data to other persons than those mentioned above, unless we have a statutory obligation to disclose such information.
How long will we retain your personal data?
We will erase or anonymise personal data when these are no longer needed for the purpose for which these were collected, as well as in accordance with the following erasure procedure:
- Invoicing details and personal data in relation to client due diligence will be retained for such period as is required by statute, such as the bookkeeping legislation and the anti-money laundering legislation.
- Case details, archives and documentation relating to client matters will normally be retained for ten years. This implies that we will normally also retain contact details we have collected in connection with the relevant client matter for ten years. This applies to all files and documents retained by us, with the exception of any documents we deposit for safekeeping; typically wills and similar documentation.
- Personal data as listed in the marketing and events section of the Privacy Notice, which we have collected and use in connection with marketing activities, will be retained as long as there is a client relationship or, if applicable, until you revoke your consent to such processing. We consider there to be such a relationship as long as you have in recent years received a legal service or newsletters from us, or attended a Thommessen event. If you attend a student event, we will erase any personal data collected for that purpose shortly after the event.
What are your rights?
You have the following rights in connection with our processing of your personal data:
- Access: You may contact us if you want to know more about which of your personal data we process. Please note, however, that your right of access does not apply to any data that are subject to a duty of confidentiality under, or pursuant to, applicable statute.
- Rectification: If your personal data have been incorrectly recorded by us, you may require us to rectify any error.
- Erasure: You may request us to erase your personal data, which request we will respect and comply with, unless we are, for example, required to retain your personal data or the relevant personal data are necessary to establish, pursue or defend a legal claim.
- Restriction of processing: You may also require our processing of your personal data to be restricted pursuant to the data protection legislation, if the conditions applicable under the data protection legislation are met. If processing is restricted, your personal data will only be retained. However, this does not apply if you have consented to some form of processing despite such restriction, or if such processing is permitted under a different basis for processing (for example to pursue a legal claim).
- Object to processing: If personal data are processed for marketing purposes, you have the right to object against processing of your personal data. If your request is based on your particular situation (for example a special need for protection of your identity),you may object, pursuant to the data protection legislation, against processing activities we engage in to further our legitimate interests, which are not overruled by the interests of the data subject, or his or her fundamental rights and freedoms. However, this shall not apply if any weighty and legitimate basis for processing takes precedence over the interests of the data subject, or if processing is necessary to establish, pursue or defend a legal claim.
- Data portability: If we process your personal data on the basis of consent or to perform our obligations under an agreement, and the personal data are processed automatically, you may request us to provide you or a third party with such personal data in a structured, commonly used and machine-readable format.
Please note that our statutory duty of confidentiality may prevent us from granting you access to your personal data. Our statutory duty of confidentiality may also impede or prevent your exercise of the above rights, if the abovementioned personal data fall within the scope of our statutory duty of confidentiality. Please refer to the website of the Norwegian Bar Association for further details on attorneys’ duty of confidentiality.
You may contact us if you wish to invoke any of your rights. Contact details are set out on the bottom of the page. Please note that we may have to request you to present proof of identity or use a different channel of communication, as we may have to verify your identity.
What do we do to ensure that your personal data are safeguarded?
As controller of your personal data, we have the overall responsibility for ensuring that your personal data are processed and stored in a secure manner. This requires us to take appropriate technical and organisational measures to ensure satisfactory information security.
Security considerations prevent us from disclosing in any detail what technical security measures we have introduced and established. However, we can confirm that all of our employees are under a duty of confidentiality with regard to your personal data where necessary, that we have adopted technical and organisational measures to safeguard the integrity and availability of your personal data, and that such data will not be disclosed to unauthorised persons.
The Norwegian Data Protection Authority and applicable personal data legislation
The Norwegian Data Protection Authority has been established to supervise the personal data processing of private and public entities. If you are dissatisfied with our processing of your personal data, you may lodge a complaint with the Norwegian Data Protection Authority. You may also lodge a complaint with the data protection authority in the EU/EEA state in which you have your ordinary residence or place of work, or in which the alleged violation has taken place. The contact details of the Norwegian Data Protection Authority are available on its website. Said website also provides additional information on our duties and your rights under the Personal Data Act.
The personal data legislation applicable at any given is available through Lovdata.
We may from time to time revise this Privacy Notice as the result of changes in our personal data processing or because of new personal data legislation. An updated version will be published on our website whenever the Privacy Notice is amended. In the event of substantial amendments, we will send the Privacy Notice directly to your e-mail address if such address has been registered by us.
We nonetheless recommend that you review the Privacy Notice from time to time when you visit our website.
You may contact us as follows if you would like further information on which of your personal data we process or if you would like to exercise any of your rights:
Advokatfirmaet Thommessen AS
P.O. Box 1484 Vika, NO-0116 Oslo
Telephone: 23 11 11 11