Control of personal data within Advodan
WE TAKE THE PROTECTION OF YOUR PERSONAL DATA SERIOUSLY
ADVODAN is a network of independent law firms with a joint secretariat (ADVODAN A/S). The individual law firms and ADVODAN A/S are individually responsible for complying with current legislation, including the General Data Protection Regulation (hereinafter referred to as ”GDPR”) as well as the Danish Data Protection Act.
To ensure the best possible protection of your personal data, we regularly assess the risk of our data processing adversely affecting your basic rights. We are especially aware of the risk that you may be subject to discrimination or identity theft – or may suffer financial losses, loss of standing or data confidentiality.
WE ARE DATA CONTROLLERS (HOWEVER, IN CERTAIN CIRCUMSTANCES WE ARE DATA PROCESSORS)
When processing the personal data of our clients and other parties in the course of our work as a law firm, we usually act as data controllers, while we act as data processors in a limited number of situations. Whether we are data controllers or data processors depend on the specific situation. Below, we set out the typical situations based on our relationship with you.
Processing your, the client’s, personal data as part of our case management:
When we process personal data on you or on your behalf as our client – including contact information for your employees, etc – we do so for the purpose of completing a task for which you have asked our assistance.
As lawyers, we often work independently and assess, amongst others, whether there is a basis for collecting and processing personal data, which personal data is required and relevant, and for how long this personal data is to be stored. Moreover, as lawyers, we are subject to a number of regulations pertaining to our case management, including our professional ethical rules, the Danish Administration of Justice Act, etc, which subject us to a number of obligations such as carrying out an independent assessment of case procedure – independent of your view as the client.
We are thus obliged to act independently in connection with a number of decisions made concerning your (and possibly other parties’) personal data, and for this reason, in most cases, we would be deemed to be data controllers.
When we are deemed to be data controllers of your personal data, we must ensure compliance with your rights pursuant to the current legislation on the processing of personal data (Please see the section ”Your rights”).
In connection with certain types of cases, such as property management, we may, depending on the circumstances, be deemed to be data processors, if we act in accordance with our client’s detailed instructions (e.g. an owners’ association). If we consider ourselves to be data processors, the individual law firm will inform the client of this for the purpose of entering into a data processing agreement and agree more specifically on any assistance in complying with data controller duties.
Processing your, the client’s, personal data for purposes other than case management:
When we process personal data on our clients or our clients’ owners/management (when the client is a corporate entity) for purposes other than case management for a client, we are also deemed to be data controllers.
Such other purposes may be e.g. the processing of your personal data for the purpose of complying with our duty to collect proof of identity, etc. in order to comply with money laundering legislation or saving your contact details in a client database.
The consequence in these situations of us being data controllers of your personal data is that we must ensure compliance with your rights pursuant to current legislation on the processing of personal data (Please see the section ”Your rights”).
Processing the personal data of parties other than clients in connection with our case management:
In connection with the management of our clients’ cases, situations will arise where we must process the personal data of other parties related to the client or the case, e.g. employees, partners, contracting parties, customers, the other party or parties, etc. In relation to those parties, we will usually be deemed to be data controllers.
This means that we must ensure compliance with the rights of the data subject pursuant to current legislation on the processing of personal data (Please see the section ”Your rights”).
Processing personal data contained in job applications:
ADVODAN A/S does not process job applications on behalf of the law firms and does, thus, does not forward applications sent to ADVODAN A/S to the individual law firms.
Therefore, if you wish to apply for a position with an ADVODAN law firm, you must address your application directly to the specific law firm, which will then be the data controller of the personal data contained in your application.
If you apply for a position in the ADVODAN A/S secretariat, you must address your application to the secretariat, which will then be the data controller of the personal data contained in your application.
As all ADVODAN law firms are independently responsible for the personal data processed in connection with specific client relationships and cases, the contact details for specific questions relating to personal data is found on the home page of the individual law firm. Find these at www.advodan.dk under the menu item ”Offices”. This is also the contact information needed if you wish to request access to that of your personal data, which is processed by the individual law firm.
WE ENSURE FAIR AND TRANSPARENT DATA PROCESSING
When we ask that you provide us with your personal data, we inform you of which of your data we process and for which purpose. You will receive this information at the time when we collect your personal data.
If we collect personal data on you from others, e.g. a supplier, a public authority or a partner, we inform you of this no later than 30 days after we have collected your personal data – however, usually sooner. We also inform you of the purpose of the collection of data and the legal authority on which we base the collection of your personal data.
If you are e.g. the other side or a witness in a case handled by us on behalf of a client, there may be situations where we, due to our duty of confidentiality, cannot comply with our duty to provide this information to you or are only able to comply with it at a later date when we are no longer subject to a duty of confidentiality.
PROCESSING PERSONAL DATA
WE USE SEVERAL TYPES OF PERSONAL DATA
We use the personal data, which is necessary and relevant to handling a specific task or managing a specific case. The data used by us may depending on the nature of the task/case comprise:
General personal data:
General personal data may be e.g. name, address and other contact information, information on financial circumstances, family-related circumstances, etc. The type of information collected by us depends on the nature of the task.
Unless otherwise agreed with our client, general non-sensitive personal data may be exchanged with the client and relevant third parties by unencrypted emails.
In some circumstances, we have to process CPR numbers (personal identity numbers), e.g. in connection with conveyancing, registrations with the Land Registry, company formations, other corporate changes (e.g. when registering the management, etc.).
Moreover, pursuant to current money laundering legislation applicable specifically to lawyers, we are obliged to collect identification with CPR numbers for personal clients and the personal owners of corporate clients.
When exchanging documents containing CPR numbers per email, we will, to the extent possible, use encrypted email, and we encourage our clients and third parties to do so also. The home page of each law firm will contain at least one email address, which is able to receive encrypted emails. If you cannot send encrypted emails, we recommend that you agree an alternative procedure with the individual ADVODAN law firm.
Sensitive personal data:
In some cases, it is relevant to process sensitive personal data, including information on health, genetic and biometric data, information on racial/ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, information on sexual relationships, information on trade union membership as well as information on criminal offences.
Sensitive personal data are processed with particular focus on confidentiality and will not be exchanged by email unless encrypted, or by another form of secure communication.
WE COLLECT AND STORE YOUR PERSONAL DATA FOR SPECIFIC PURPOSES
We collect and store personal data for specific purposes in connection with our case management on behalf of our clients, or for our own commercial purposes.
Typical situations will be those where we:
· process personal data for the purpose of representing our client’s interests in connection with a concrete case or task,
· for the purpose of complying with money laundering legislation, collect identification, etc, or
· store and use contact information in a CRM system for the purpose of marketing similar services which we consider relevant to the client as well as for distributing electronic newsletters, once your consent has been obtained.
WE ONLY PROCESS RELEVANT AND NECESSARY PERSONAL DATA
We only process that of your personal data, which is relevant and adequate to fulfil the purposes described above. Thus, we do not process other personal data than that required for the specific purpose.
Apart from the above, we only process the personal data necessary to fulfil our determined purposes.
Legislation may determine which types of personal data must be collected and stored for our business operations. The type and scope of the personal data processed by us may also be required to fulfil a contract or to comply with another legal obligation, to which we are subject pursuant to legislation.
To ensure that we only process relevant and necessary personal data for each of our determined purposes, we make use of IT solutions, which contribute to ensuring that only the data required, is collected. Internal guidelines are also laid down to ensure that the scope of the processing is limited to that required and that the storage period is limited to that required.
To protect you against third parties gaining access to your personal data, we may employ IT solutions which ensure that personal data is only available to relevant members of staff.
WE CHECK AND UPDATE YOUR PERSONAL DATA:
We check that your personal data, which we process, is not inaccurate or misleading. We also regularly update your personal data.
As the provision of our services rely on your personal data being accurate and updated, we ask that you kindly inform us of relevant changes to your personal data. You may contact the relevant lawyer about this or use the contact information stated above to notify us of any changes.
To ensure the quality of your personal data, we have adopted internal rules and established procedures for the control and updating of your personal data.
WE ERASE YOUR PERSONAL DATA WHEN IT IS NO LONGER REQUIRED:
We erase your personal data when it is no longer required for the purposes for which it was collected, processed and stored.
This means, amongst others, that we erase client identification collected pursuant to the Danish Money Laundering Act five (5) years after the termination of the client relationship, cf. the provisions of the Money Laundering Act. Personal data collection in connection with the management of specific cases or tasks will be stored for an appropriate period from the completion of the case, which we are obliged to do in order to comply with our professional ethical rules. This is usually a minimum of five (5) years.
In some cases, there is a basis for storing case information for longer periods; however, rarely more than ten (10) years. Notwithstanding the foregoing, certain basic information is stored without time limits being imposed in order to ascertain any conflicts of interest, cf. our professional ethical rules. The individual ADVODAN law firm has established its own guidelines for the storage and erasure of cases.
WE ALWAYS HAVE legal authority for the processing of your personal data:
When processing your personal data in connection with our case management, we ensure that we always have legal authority for the processing of your personal data.
Usually, we process your data based on our agreement to assist you in a case as well as our legitimate interest in processing your personal data.
A particular example is that we often process personal data because we are required to do so to comply with a legal obligation pursuant to e.g. money-laundering legislation.
In certain cases, we must obtain your consent prior to processing your personal data, e.g. in connection with the processing of sensitive personal data. However, we are not required to obtain consent in connection with our handling of disputes, including establishing, exercising and conducting court cases where we are entitled to process personal data of any kind – including sensitive personal data – when this is required to establish, exercise or defend a legal claim.
Any consent is given freely and you may withdraw your consent by contacting us. Please make use of the contact information above, if you require further information.
If we wish to use your personal data for purposes other than the original, we will inform you of this new purpose and – if necessary – will ask for your consent prior to commencing the data processing. If we have a different legal authority for this new processing, we will inform you of this.
WE DO NOT DISCLOSE YOUR PERSONAL DATA WITHOUT LEGAL AUTHORITY
Before disclosing your personal data to a third party, we always ensure that we have legal authority to do so.
If we disclose your personal data to partners and actors, for the purposes of marketing, amongst others, we will obtain your prior consent and inform you of the purposes for which your personal data will be used. You may always object to this type of disclosure, and you may decline being contacted for marketing purposes, either by noting this in the Danish Civil Registration System or by notifying us. Notwithstanding the above, marketing by email does require your consent.
In connection with the conduct of a case, the client’s consent is not required for the disclosure of the client’s personal data to e.g. the court or the other side when this occurs in connection with the fulfilment of our agreement to provide assistance or with a view to establishing, exercising or defending a legal claim.
We do not obtain your consent if we are subject to a legal obligation to disclose your personal data, e.g. when reporting to a regulatory authority. This also applies to the disclosure of identity information on clients and potential clients in connection with establishing possible conflicts of interest in cases involving several ADVODAN law firms.
We obtain your consent before transferring your personal data to third-country recipients, i.e. countries outside the EU/EEA area. If we transfer your personal to third-country collaborative partners, we ensure that their level of personal data protection fulfils the requirements set out in this policy pursuant to current legal provisions. We have certain requirements for e.g. the processing of personal data, the data security and the compliance with your rights in relation to e.g. objecting to profiling and complaining to the Danish Data Protection Agency/Datatilsynet.
It should be noted that the transfer of personal data to third countries is only relevant in connection with specific assignments. To the extent that the individual law firm generally stores client and case information with an external partner (cloud solution), we will only collaborate with partners within the EU/EEA who provide adequate guarantees that personal data is not stored in third countries.
WE PROTECT YOUR PERSONAL DATA AND HAVE INTERNAL DATA PROTECTION RULES:
We have adopted internal rules on data protection, which contain instructions and measures to protect your personal data from destruction, alteration or unauthorised disclosure to third parties.
We have adopted procedures for the allocation of access to those of our employees who process sensitive personal data and personal data, which contains information on personal interests, and information which is otherwise also considered confidential. We check the actual access through supervision. To prevent loss of data, we regularly back up our data.
In the event of a personal data breach resulting in a high risk of discrimination against you, or identity theft, financial loss, loss of standing or other significant detriment to you, we will notify you of said personal data breach as soon as possible and in accordance with applicable legal provisions.
If we as a law firm use an external collaborative partner for the storage of personal data (cloud solution), we ensure that a data processing agreement has been entered into and that said partner has put into place adequate security measures and that the compliance with these is regularly audited, e.g. by the reporting of IT suppliers maintaining a relevant ISO certification on IT and information security.
PERSONAL DATA ON ADVODAN.DK
We collect personal data on you when you subscribe to our electronic newsletters Private and Business using the advodan.dk forms. We ask you to provide your first name and family name (optional), email address and postcode. The postcode is used for associating you with the nearest ADVODAN firm to this postcode. Your email address is only used for sending you electronic ADVODAN newsletters.
Your personal data is stored based on your consent which is logged in our current newsletter system MailChimp.
When you receive an ADVODAN newsletter, we may, depending on your email provider and IT client (computer, tablet or mobile), see if you have opened the email and which links you click. We also receive information if there are issues with the delivery of your email.
You may always withdraw consent by unsubscribing from the newsletter by clicking on the link at the bottom of each newsletter.
To download contents from advodan.dk – e.g. e-books and reminder templates – we ask that you enter your email address and postcode. At the same time, you accept subscribing to either Newsletter Private or Newsletter Business.
Once we have sent you an email with the desired contents, only your email address and your postcode are saved in our MailChimp newsletter system.
You may always withdraw consent by unsubscribing from the newsletter by clicking on the link at the bottom of each newsletter. Learn more in the section ”Electronic newsletters”.
No personal data provided in forms on advodan.dk is saved.
QUESTIONS TO ARTICLES
When you enter a question in the form beneath an article on advodan.dk and click ”send”, you provide your consent to your name and question being published on the home page.
Your email address will not be published, but we use it for two purposes. The first purpose is to provide you with the opportunity to approve your question before it is published on the home page. The other purpose is that we use your email address to notify you once the lawyer has provided a response to your question.
The processing of your data is carried out confidentially and in accordance with current legislation.
We store your email address for three months, and then it is erased entirely from advodan.dk.
Your question and the lawyer’s answer will be visible on the ADVODAN home page as long as we find it relevant and it provides value to other visitors.
If you wish to have your question removed from the home page, please write to the ADVODAN secretariat at firstname.lastname@example.org.
We, moreover, reserve the right to erase sensitive personal data provided in any question if we find that it is not expedient to publish this on advodan.dk.
COOKIE-POLICY ON WWW.ADVODAN.COM:
You have the right to access your personal data
As a client, you always have the right to be informed of which of your personal data we process, its origin and the purposes for which it is processed. You may also receive information on how long we store your personal data and who receives your personal data, to the extent that we transfer your personal data.
If you make a request, we can inform you of which of your personal data we process. However, your access may be limited by the consideration for the protection of other persons’ privacy, for business secrets and immaterial rights.
You may exercise your rights by contacting us. You find our respective contact information on the home page of the individual law firm.
IF YOU ARE NOT A CLIENT
If you are not a client, but we process your personal data in the management of a client case, you have the right to receive information on which of your personal data we process, its origin and the purposes for which it is processed. You may also receive information on how long we store your personal data and who receives your personal data, to the extent that we transfer your personal data.
If the data is subject to a duty of confidentiality (or access is limited for other reasons, cf. the above), we are, however, not obliged to accommodate your request for access.
You may exercise your rights by contacting us. You find our respective contact information on the home page of the individual law firm.
YOU HAVE THE RIGHT TO HAVE INACCURATE PERSONAL DATA RECTIFIED OR ERASED:
If you believe that your personal data, which is processed by us, is inaccurate, you have the right to have it rectified. Please contact us and let us know which part of the data is inaccurate and how to rectify it.
In some instances, we are obliged to erase your personal data. This is the case if you e.g. withdraw your consent and we have no other legal authority for the processing of your personal data. If you believe that your personal data is no longer required for the purpose for which we collected it, you may request that it is erased. You may also contact us if you believe that your personal data is processed in contravention of applicable legislation or other legal obligations.
When you contact us with a request to have your personal data rectified or erased, we check that the conditions are fulfilled and then we rectify or erase the data as soon as possible.
You have the right to object to our processing of your personal data.
You have the right to object to our processing of your personal data. You may also object to our disclosure of your data for marketing purposes. Please send your objection to the contact details provided on the law firm’s own website on advodan.dk. If your objection is justified, we will cease the processing of your personal data.
YOU HAVE THE RIGHT TO RECEIVE YOUR PERSONAL DATA IN ELECTRONIC FORMAT (THE RIGHT TO DATA PORTABILITY):
You have the right to receive the personal data which you have provided to us and which we have collected on you from other actors based on your consent, in electronic format. If we process your personal data as part of a contract to which you are a party, you also have the right to receive your data. You also have the right to transfer this personal data to another service provider, e.g. in connection with a change of lawyer.
If you wish to exercise your right to data portability, you will receive your personal data from us in a generally used format by email or on USB memory stick.
If you wish to access your data, to have it rectified or erased, or to object to our data processing, we will look into the possibility and provide you with a response to your enquiry as soon as possible and no later than one month from receipt of your enquiry.
You may complain about unlawful processing of your personal data
If you believe that your personal data is being unlawfully processed, you should discuss this with the lawyer handling your case, in the first instance. You may also make a complaint to the person appointed by the individual ADVODAN firm as being responsible for handling enquiries relating to personal data.
If you believe that – despite your complaint to the law firm - your personal data is not lawfully processed, you may file a complaint with the Danish Data Protection Agency/Datatilsynet. Learn more about this on www.datatilsynet.dk