Privacy notice

This Privacy Notice applies where we act as controller for processing of personal data, which is normally the case in connection with our provision of legal services. As controller, we are responsible for ensuring that the personal data we have about you are used in accordance with the applicable data protection legislation.

In this Privacy Notice, you will find information about how we use and protect personal data about you as well as your rights in this regard. Personal data are data that relate to you as an identifiable person.

1. Individuals subject to processing of personal data

We primarily provide business law advice. Most of the data we process relate to businesses, not individuals. However, our services will still involve the processing of personal data.

This Privacy Notice describes how we process personal data related to the following data subjects:

  • Contact persons with our business clients
  • Private clients
  • Contact persons with our suppliers and partners
  • Persons involved in or mentioned in cases that we handle

2. How we process personal data

We have listed the typical purposes for our processing of personal data, the categories of personal data we typically process, and the legal bases for the processing below.

Establishing client relationships:  When we are contacted by a client requesting our services, we perform a conflict check before taking on the engagement. This is required to ensure that we comply with the Rules for legal ethics, and the legal basis for performing such a check is provided in the GDPR Article 6c (legal obligation) and Article 6f (balancing of interests: our interest in behaving ethically correct). Such conflict checks do normally not involve the processing of personal data. Processing of personal data only takes place when we take on cases for private clients, or in cases where private individuals have the role of opponent or a similar role. In such cases, the information is normally limited to the name of these individuals and the nature of the engagement.

Where necessary pursuant to the Norwegian Money Laundering Act, we will perform a background check of our clients. For this purpose, we process passport information and the client's address details and we may conduct database searches. The basis for conducting such a money laundering check is provided in the GDPR Article 6c (legal obligation).  

If we take on the assignment, we will register the client's contact details. For business clients, we primarily register the name, telephone number and e-mail address of contact persons. The basis for such processing is provided in the GDPR Article 6f (balancing of interests: our interest in communicating with our client). Correspondingly, we will for any private clients register name, telephone number, address and e-mail address. The basis for such data processing is provided in the GDPR Article 6b (contract).

Case handling:  In carrying out legal assignments, we normally process personal data, for example regarding employees and owners of the client's business or the opponent's business, witnesses, the opponent's counsel and other individuals involved in the case. Such data may appear in documents and correspondence (such as letters, e-mails, pleadings, memos, agreements and minutes) prepared or received by us in connection with the case. The basis for processing of personal data in connection with assignments for business clients is provided in the GDPR Article 6f (balancing of interests: our interest in providing services to our clients), whereas the basis in connection with assignments for private clients is provided in the GDPR Article 6b (contract). In our handling of cases, we occasionally gain access to sensitive personal data, such as health information in employment matters or information concerning violations of the law in matters of financial crime. The legal basis for such processing is provided in the GDPR Article 9f (legal claims), cf. the Norwegian Personal Data Act, Section 11.

Knowledge management:  For the purposes of improving and developing our services, we may prepare templates on the basis of previous advice we have given. In preparing such templates, we anonymise the information contained in the documents, unless the template is prepared for the client to which the information relates. Being a knowledge-intensive company, we normally also draw on our work in previous matters when providing our advice. The basis for this processing of personal data is provided in the GDPR Article 6f (balancing of interests: our interest in knowledge management).

Filing of case documents:  We retain any documents and correspondence pertaining to a case upon completion of the assignment. After a given time, such documentation is transferred to an archive (electronic and/or physical) with stricter access control. Archiving of case documents is something we do because it is expected by our clients, and because occasionally there is a need to retrieve former case files, for example in connection with a subsequent court case or process in which the client needs documentation from previous cases. The basis for such processing of personal data is provided in the GDPR Article 6f (balancing of interests: our interest in fulfilling our clients' expectations and needs). For the few cases that involve sensitive personal data, the basis for such processing of personal data is provided in the GDPR Article 9f (legal claims), cf. the Norwegian Personal Data Act, Section 11.

Invoicing:  Time and costs accrued in a case are registered in our accounting system. We use the contact details we have received from our clients for invoicing purposes. The legal basis for such processing of personal data in respect of business clients is provided in the GDPR Article 6f (balancing of interests: our interest in invoicing) and for the corresponding processing in respect of private clients in the GDPR Article 6b (contract).

Marketing:  We send out newsletters and event invitations by e-mail to contact persons with our existing clients (clients we have assisted during the course of the last three years), and to others who have expressly requested such communication. The basis for sending such e-mails to contact persons with our existing clients is provided in the GDPR Article 6f (balancing of interests: our legitimate interest in following up our clients by providing legal news and relevant information about our services), cf. the Norwegian Marketing Control Act, Section 15(3). The basis for sending such e-mails to other individuals is provided in the GDPR Article 6a (consent), cf. the Norwegian Marketing Control Act, Section 15(1). Any recipients of our communication items can easily opt out using the link included in our e-mails.

Administration relating to suppliers and partners: We use the services of suppliers and partners for providing legal services. For such parties we register contact details, primarily the name, telephone number and e-mail address of contact persons. The basis for this processing is provided in the GDPR Article 6f (balancing of interests: our interest in administering our relationship with suppliers and partners).

We may also process personal data for purposes that are not incompatible with the original purpose for which the data was collected. This applies for example for storage for accounting purposes, use of information for innovation projects (which generally take place without the use of personal data), and use of information which may be required if we as a law firm become involved in legal proceedings, an acquisition or other kinds of processes.

3. Parties with whom we share personal data

Lawyers are subject to a pledge of confidentiality. Any information which is shared with us in confidence or which we receive in connection with an assignment is handled confidentially.

We share personal data with courts, opponents and other advisers where necessary in order to execute the assignment.

The suppliers of our IT services and their sub-suppliers may have access to personal data if such access is necessary in order for them to provide their services to us. We have data processing agreements with such parties ensuring that they do not use such data for their own purposes.

We do not disclose personal data in any other way, unless requested to by our clients or unless it is necessary in order to comply with laws or public authority requirements. We do not sell personal data.

4. Data retention

We store your personal data as long as it is necessary to fulfil the purposes described in this Privacy Notice. This essentially means the following:

  • We store case information for a period of 20 years. For cases where we have access to data via third-party data rooms, we will normally shortly after completion of the assignment no longer have access to such data.
  • We store the details of contact persons with our clients for a period of 5 years after the client relationship has ended.
  • We store information collected for money laundering check purposes for a period of 5 years.
  • We store invoice information for a period of 5 years.
  • We store the names and e-mail addresses of individuals who have consented to receiving newsletters until such consent is withdrawn.
  • We make backup copies of our data, which are continuously deleted after 2 years.

5. Your privacy rights

You have several rights under the current privacy regulations. We have provided a list of these rights below. Please do not hesitate to contact us if you wish to exercise your rights. We will respond to your inquiry as soon as possible, generally within one month at the latest.

Access: You have a general right of access to the personal data we have registered about you. Because lawyers are subject to a statutory duty of confidentiality, we cannot grant access to case information, unless you are a private client and the case information relates to assignments we have carried out for you.

Rectification and erasure: You have a general right to request that we should rectify any incorrect personal data about you and erase personal data about you. We will not rectify data and assessments which you consider to be incorrect, but which we or our clients consider to be correct. We also will not erase information if there is a need to continue to store such information (see section 4 above).

Restriction: You have a general right to ask us to stop ("freeze") the processing of your personal data, e.g. where you are of the opinion that we process personal data about you illegally and you do not wish us to erase these data pursuant to our routines for such erasure until the matter has been clarified.

Data portability: You have a general right to request transfer of your personal data in a common, machine-readable format. Because this only applies to the personal data you have given us and where we process such data on the basis of your consent or an agreement we have with you, this right will probably not be relevant in relation to us.

Objection: You have a general right to object to our processing of personal data about you if this is justified by special circumstances on your part. You also have the right to object to us using data about you for marketing purposes, and you can do this for example by using the link included in our e-mails.

We do not carry out automated decision-making or profiling.

Right to appeal to the Norwegian Data Protection Authority (Datatilsynet): If you do not agree with the way in which we process your personal data, you may submit an appeal to the Norwegian Data Protection Authority (Datatilsynet). We ask that you contact us beforehand, so that we may clarify any misunderstandings.

6. Security

We have implemented technical and organisational security measures in order to ensure that we handle personal data in a secure manner. We perform regular assessments of the security of all of our systems used for the handling of personal data, and have entered into agreements instructing the suppliers of such systems to ensure an adequate level of data security.

In cases where the disclosure of data, as described in section 3, involves transfer of data out of the EEA, we implement measures to protect the personal data, such as entering into agreements on the basis of EU standard contractual clauses with the recipient of the data or ensuring that the recipient of the data is Privacy Shield certified. You can read more about the EU standard contractual clauses here and about Privacy Shield here, and you can contact us to receive a copy of these agreements (where we will remove all confidential information).

7. Amendments to this Privacy Statement

We may amend this Privacy Notice from time to time. You will be notified if any significant amendments are made. The most up-to-date version of our Privacy Notice is available on our website.

8. Cookies

We make use of cookies on our website. For more information regarding our use of cookies, see our cookie policy.

9. Contact details

Please contact us if you have any questions or comments or if you wish to exercise your rights. Our contact details are as follows:

Advokatfirmaet Wiersholm AS
Postal address: P.O. Box 1400 Vika, NO-0115 Oslo, Norway
E-mail: firma@wiersholm.no
Tel.: +47 210 210 00