Privacy Policy and Cookies Declaration
Most recent amendment: 30.12.2023
Personal Privacy Policy For Bryn Aarflot
(Based on template from the Law Society)
This privacy policy applies to Bryn Aarflot AS («we» or «us»). We are responsible for processing personal information as described in this privacy policy. You will find our contact information below.
Personal information we hold
This privacy policy addresses the way we use personal information for:
- ·Private clients
- ·Contact persons for our commercial clients
- ·Contact persons for our suppliers and collaborative partners
- ·People involved in cases we work on
- ·Other persons mentioned in the case documents we have access to
- ·Visitors to our website
Purpose, types of personal data and legal basis
Below is an overview of the purposes for which we use personal information, the types of personal information we use and the legal basis for doing this.
Establishing a Client Relationship: When we are contacted by clients wishing to instruct us, we carry out an independent internal search for any conflict of interest before accepting the assignment. This independent search serves a legitimate purpose and is based on Article 6(1)(f) of the General Data Protection Regulation (“GDPR”). Conflict searches for private clients usually include full names, what the case involves and, if applicable, creditworthiness. Conflict searches for business clients do not usually involve processing personal data.
When a client relationship is established, we carry out a compulsory client check in line with the rules of the Money Laundering Act. This allows us to fulfill our legal obligations under the Money Laundering Act. See GDPR Article 6(1)(c).
If we are able to take on the assignment, contact information is entered in our system. The registration of contact details is necessary in order to enter into a contract with private clients. See Article 6(1)(b) of the GDPR.
For commercial clients, the registration of contact information is based on an assessment of interests. See Article 6(1)(f) of the GDPR.
Case management: Some assignments involve accessing personal information about parties or other individuals affected by a case. Such information may be contained in documents the client sends us or other correspondence in the case. The processing of personal data in connection with assignments for commercial clients is based on GDPR Article 6(1)(f). In some cases, we may also have access to sensitive personal information. In such cases, we process the information in line with Article 9(2)(f) of the GDPR. See section 11 of the Personal Data Act (new in 2018).
Knowledge management: This is based on our interest in using knowledge to deliver further advice to our clients, see GDPR Article 6(1)(f) (legitimate interests).
Client administration. Client files are created for all assignments carried out on behalf of our clients. Time and disbursements spent on a case are recorded in our accounting system. For commercial clients, our client management procedure follows GDPR Article 6(1)(f) whereas for private clients, it is a necessary part of fulfilling our contract. See GDPR Article 6(1)(b).
Storage of client files: We keep client files for 10 years after the assignment has been completed. We consider storage for this length of time to be necessary for both the client and us, as the files may be needed in case of a query or dispute. The legal basis for processing personal data is GDPR Article 6(1)(f) and GDPR Article 9(2) (f). See Section 11 of the Personal Information Act (2018).
The Transparency Act: Under the Norwegian Transparency Act we are required to promote respect for fundamental human rights and decent working conditions in connection with the provision of our services. If processing of personal data is necessary for compliance with such legal obligations, then GDPR article 6 no. 1 (c) will be the legal basis for such processing. For further information about our compliance with the Transparency Act, please refer to the following webpage, https://baa.no/en/the-norwegian-transparency-act
Billing: If requested, contact details received from business clients are included on client invoices. For private clients, the individual’s personal postal address is used for sending invoices. This is based on GDPR Article 6(1)(f) (legitimate interests) for business clients and GDPR Article 6(1)(b) (requirements to comply with the client contract) for private clients.
IT Operation and Security: Personal data stored in our IT systems may be accessible to us or our suppliers in connection with the following; system updates, implementation or follow-up of security measures, resolving problems or other system maintenance. This is based on GDPR Article 6, (1)(f) and our legal obligation to have satisfactory information security. See GDPR Articles 32 and 6(1)(c).
Marketing: We send out newsletters by e-mail to clients we regularly provide legal services for, using their registered e-mail address. We also send out newsletters to those requesting it. Recipients of the newsletter can easily unsubscribe from the service by using the link included. This is based on GDPR Article 6, (1)(f), for cases where we have received the e-mail address in connection with a legal assignment. Those who have previously been in touch with us are deemed to have an interest in professional updates. If there is an existing client relationship, any marketing complies with Section 15 (3) of the Marketing Act. In other circumstances, marketing is based on the consent of the person concerned. See Section 15 (1) of the Marketing Act and Article 6 (1) of the GDPR.
Marketing
Purpose and use
Bryn Aarflot processes and gathers personal data for marketing purposes through the use of the website baa.no, analytics tools and other services such as Facebook and LinkedIn.
We send out newsletters by e-mail to clients for whom we regularly provide legal services, using their registered e-mail address, and to other parties who have requested that our newsletter be sent to them. Recipients of the newsletter can easily unsubscribe from the newsletter service by using the link provided in each individual communication or by contacting Bryn Aarflot. The basis for processing the data is Article 6(1)(f) of the EU General Data Protection Regulation (GDPR) where we have received the e-mail address in connection with an assignment for legal services. Clients and others who have previously been in touch with us have an interest in receiving updates in the relevant legal area. Where there is an existing client relationship, marketing is done in compliance with the third paragraph of section 15 of the Marketing Act. Otherwise, marketing is based on the consent of the person concerned: see the first paragraph of section 15 of the Marketing Act and Article 6(1) of the GDPR
We will use the information about you for the following purposes:
- ·Sending out newsletters;
- ·Personalized advertisements and other relevant marketing;
- ·Statistics and management of the websites and services. We use this information to manage and improve the websites: for further information, see part 2.3 below on web analytics and cookies.
Which types of data are processed?
On our website we process both personally identifiable information and non-personally identifiable information about you. Those who only visit our website but do not contact us or sign up for the newsletter leave behind only non-personally identifiable information.
We gather and process the following data through our website:
- ·If you subscribe to our newsletter, you receive an e-mail from Bryn Aarflot about current news topics, offers and information. In order for us to send the e-mail to the correct subscriber, you must register your first name, family name, company/firm, position and e-mail address.
- ·If you direct an inquiry to us via our website, relevant information may be stored, such as name, telephone number and e-mail address, so that we are able to contact you.
- ·When you visit the website baa.no, your IP address is registered. We do not link that data directly to you as a user, but it is used to manage and maintain our website. This makes it possible for us to make what we offer continuously better and more user-friendly: for further information, see the part below on web analytics and cookies.
Web analytics, social media and cookies
Bryn Aarflot uses Google Analytics for web analytics and to gather anonymous data about the users of the website, so that we are able to optimise functionality and the information we offer.
The information is obtained from the user’s browser and may include IP address, operating system, browser software, time of visit, pages visited and sender webpage. The IP address is anonymized automatically.
Social media
We have profiles on the following social media sites:
- ·Facebook (Facebook GDPR & Privacy)
- ·Instagram (Instagram Data Policy)
- ·LinkedIn (LinkedIn Privacy Policy)
- ·YouTube (YouTube Policies & Safety)
Our social media profiles have been created and are used in accordance with the terms of use and guidelines for account administrators and processing of personal data on the various websites/social media.
Cookies
BAA.no uses cookies, which are small ‘information capsules’ whose purpose is to show you as much relevant content and advertising as possible to you, based on your actions and preferences over time. We use the following cookies:
- ·Facebook Pixel
- ·LinkedIn pixel
- ·Google Analytics
Most browsers accept cookies automatically and, if your browser is preset to indicate that the user accepts cookies, this is deemed to be consent. You can always opt not to accept an information capsule by changing the settings.
Storage and holding of data
Bryn Aarflot stores and processes personal data for as long as deemed necessary for the intended purpose or for what is required under agreements in place. Storage and holding of data is done strictly in accordance with statutory requirements. Your personal data will be erased if you request us to do so, either by unsubscribing from our newsletter or contacting us.
How we share personal information
Our IT service providers may have access to personal information if it is stored at the supplier’s premises or otherwise available to the supplier under the terms of their contract with us. Suppliers must comply with the data processing agreement and act under our instructions. The supplier may only use personal information for the purposes agreed by us and set out in this privacy policy.
Lawyers are under a duty of confidentiality, enforceable by criminal law, pursuant to section 111 of the Penal Code. All information entrusted to our lawyers or patent engineers in connection with an assignment is handled confidentially.
We do not disclose personal information under any other circumstances or in any other ways than those set out in this privacy policy unless the client explicitly requests or agrees to this or the disclosure is required by law.
Storing personal information
We store our clients’ files for ten years.
We are required by accounting legislation to store particular accounting documents for a given period of time. When a particular purpose indicates storage for a specific period of time, we ensure that personal information is used solely for that purpose during this period.
Your rights
You have rights over personal information that concerns you. The type of rights that you have will depend on the circumstances.
Withdrawing consent: If you have agreed to receive a newsletter from us, you may withdraw this consent at any time. We have made it easy for you to withdraw consent, by including an unsubscribe link in each newsletter. If you have consented to any other processing of personal information, you may also withdraw consent at any time by contacting us about this.
Request for access: You have the right to know what personal information we hold about you, provided our duty of confidentiality does not prevent this. In order to ensure that personal information is handed over to the right person, we may ask that a request for access be made in writing or that identity is otherwise verified.
Request for correction or deletion: You may ask us to correct wrong information we hold about you or ask us to delete personal information. We will, as far as possible, comply with a request to delete personal information, unless there are serious reasons for not deleting such information. For example, if we must store information for documentation purposes.
Complaints to the DPA: If you are unhappy with the way we handle your personal information, you can complain to the Data Protection Authority.
Security
We have procedures for handling clients’ personal information in a secure way. These measures are both technical, and organizational. We make periodic assessments of the security of all central systems used for handling personal data, and our agreements with system suppliers require them to provide satisfactory information security.
Access to personal information (and client/case information) is limited to personnel requiring access to do their job.
We have internal IT guidelines, and hold regular staff training on security and use of IT systems.
Changes to the Privacy Policy
We may make minor changes to this privacy policy. You will always find the latest version on our website. We will notify you of any significant changes.
Contact us
If you have questions or comments about our privacy policy or want to exercise your rights, please contact us:
E-mail address mail@baa.no
Tel: 0047 46 90 30 00
Address: Stortingsgata 8 – 0161 Oslo, Norway
Personal Privacy Ombud: Hege Ramnes