Privacy Policy applicable to the law firm Kogstad Lunde & Co as of 01.04.2022 (Version 1)
The law firm Kogstad Lunde & Co (KLCO) processes personal data in legal practice and is the data controller for such processing in accordance with EU Regulation No. 2016/679 (GDPR) Article 4 No. 7. Contact details for the data controller are: Law firm Kogstad Lunde & Co DA v/Managing Director, P.O. Box 1360 Vika, 0113 Oslo. Organization number: 980687805.
This privacy policy is directed towards our processing of personal data about the following individuals:
• Private clients
• Contact persons at corporate clients
• Contact persons at our suppliers and partners
• Individuals involved in cases we handle
• Other individuals mentioned in case documents we access
• Visitors to our website
Below is an overview of the purposes for which we process personal data, the types of personal data we process, and the legal basis for the processing.
When we are contacted by a client with a request to take on an assignment, we conduct an internal independence check (conflict resolution) before we potentially accept the assignment. The independence check serves a legitimate purpose and is based on GDPR Article 6 No. 1 letter f (to safeguard a legitimate interest). Conflict checks of private clients usually include the full name and the nature of the case. If we can take on the assignment, we process information about the private client in the form of name, postal address, postal code/city, telephone/mobile number, fax number, email address, and personal identification number. The legal basis follows from GDPR Article 6 No. 1 letter b (to fulfill an agreement with the client).
Processing the client's personal identification number is necessary to achieve secure identification of the client to comply with legal requirements for anti-money laundering control. The legal basis for processing the personal identification number follows from the Personal Data Act § 12 and GDPR Article 6 No. 1 letter c (to fulfill a legal obligation).
For legal assignments for corporate clients, it is necessary to process personal data about contact persons at the client. The processing concerns information about the names of contact persons, telephone/mobile numbers, and email addresses. The legal basis follows from GDPR Article 6 No. 1 letter f (to safeguard a legitimate interest).
In case handling, we will process personal data relevant to the case and case type being handled. This will typically be information about factual circumstances necessary to assess and decide on legal issues related to the legal assignment. The types of personal data that are relevant and necessary to process will vary from case to case and will depend on the case type.
Some legal assignments involve accessing personal data about parties or other individuals affected by a case. Such information may appear in documents the client sends or other correspondence in the case. This may include personal data about claimants, opposing parties, contractual parties, witnesses, contact persons at corporate clients, and other individuals related to the case.
Processing personal data concerning a private client has a legal basis in GDPR Article 6 No. 1 letter b (to fulfill an agreement with the client). The legal basis for processing personal data about opposing parties and other individuals affected by the case follows from GDPR Article 6 No. 1 letter f (to safeguard a legitimate interest).
To establish, assert, or defend a legal claim, it may be necessary in some cases to process special categories of personal data, including health information, information about trade union membership, criminal offenses/violations. The legal basis for such processing follows from GDPR Article 9 No. 2 letter f and the Personal Data Act § 11 (new law in 2018).
Cases handled for clients are registered in our case management system. Here, all case documents are stored, and time spent, and costs incurred are recorded. Time spent and incurred costs form the basis for billing and settlement of our fees. When registering time and billing, information that can identify the case with the client, such as case number, case name, and name of the contact person at the corporate client, will be processed.
The legal basis for the processing follows from GDPR Article 6 No. 1 letter b (to fulfill an agreement with the client). For corporate clients, the legal basis follows from GDPR Article 6 No. 1 letter f (to safeguard a legitimate interest).
All case documents are stored/retained securely and are subject to strict access control. Case documents will be stored for 10 years after the assignment is completed. Storage for the specified period is necessary for both the client and the law firm. Even though the legal assignment is completed, questions or disputes may arise later where the stored information may be relevant. The processing is in accordance with good legal practice and with the storage time requirements specified in the Legal Practice Regulations § 7-10.
The legal basis for the processing follows from GDPR Article 6 No. 1 letter f (to safeguard a legitimate interest), GDPR Article 9 No. 2 letter f, or GDPR Article 17 No. 3 letter b (to establish, assert, or defend legal claims), and the Personal Data Act § 11 (new law in 2018).
Information necessary to fulfill requirements under the Anti-Money Laundering Act § 4 (2) No. 3, cf. §§ 17 and 18, will be processed. The process generally includes information about the client's name, personal identification number, address, reference to identification, type of identification.
The legal basis for processing follows from GDPR Article 6 No. 1 letter c (to fulfill a legal obligation).
When visiting our office premises, information about the visitor's name, date of the visit, the company the visitor may represent, the name of the employee being visited, the time of arrival, and the time the visitor leaves the premises will be recorded. The information is stored for two months.
The processing is necessary to have control and oversight of visitors to the firm's premises, both for the visitor's own safety and to fulfill requirements for personal data security cf. GDPR Article 32. The legal basis for the processing follows from GDPR Article 6 No. 1 letter f (to safeguard a legitimate interest) and GDPR Article 6 No. 1 letter c (to fulfill a legal obligation).
Documents stored in connection with case handling may be stored in a separate database for internal knowledge sharing and reuse. Such documents are anonymized, and it will not be possible to identify individuals.
The processing is part of our work on internal knowledge sharing and to improve the quality of our legal services. The legal basis for the processing follows from GDPR Article 6 No. 1 letter f (to safeguard a legitimate interest).
Personal data stored in our IT systems will be accessible to our suppliers in connection with system updates, implementation or follow-up of security measures, error correction, or other maintenance. The legal basis for the processing follows from GDPR Article 6 No. 1 letter f (balancing of interests, cf. our legitimate interest related to the mentioned activities) and our legal obligation to have satisfactory information security, cf. GDPR Articles 32 and 6 No. 1 letter c (to fulfill a legal obligation).
We process personal data about contact persons at our suppliers and partners. The processing concerns information about the names of contact persons, title/position, telephone/mobile numbers, and email addresses. The processing is necessary to follow up agreements and cooperation with our connections. The legal basis follows from GDPR Article 6 No. 1 letter f (to safeguard a legitimate interest).
We use our website klco.no for marketing the firm's legal services, course activities, and for distributing newsletters.
When visiting the website, cookies are used. For the publishing solution, klcosession (is session-dependent, deleted when the browser is closed). To remember your acceptance of the use of cookies: cookienotice_accepted (stored for 1 year). When subscribing to newsletters, your email address and the subject areas you subscribe to are registered. The information is stored as long as the subscription is active. You can change or delete your subscription yourself by using the "Change my subscription" link in the footer of the newsletter. When deleting the subscription, all your information will be deleted. You will receive newsletters if you have subscribed on our website and consented to the processing.
Newsletter distribution is done in collaboration with Twilio Ireland Ltd. When distributing newsletters, your email address is transferred to Twilio, which distributes our newsletters to all subscribers. Twilio is a multinational company subject to binding corporate rules (BCR) approved by the European Data Protection Board (EDPB) on May 25, 2018, in accordance with GDPR Article 46 No. 2 letter b and Article 47.
The legal basis for the processing follows from GDPR Article 6 No. 1 letter a (consent).
When registering for courses via klco.no, contact information for the course participant and necessary information to manage the registration and issue an invoice are registered. After the course is held, you will receive a link to an anonymous evaluation form that will be stored if completed. The information will be stored for 3 months after the course is held. The legal basis for the processing follows from GDPR Article 6 No. 1 letter b (to fulfill an agreement).
We use subcontractors for the storage, operation, and maintenance of the company's information and communication technology. All personal data is stored externally with our IT supplier. Personal data stored in the IT systems will be accessible to our suppliers in connection with operation, system updates, implementation or follow-up of security measures, error correction, or other maintenance. The suppliers act in accordance with a data processing agreement and under our instructions in accordance with GDPR Article 28.
If you are a lawyer or trainee lawyer and give your consent, information about your participation in our courses will be shared with the Bar Association for the application for approval of continuing education hours. The legal basis for the processing follows from GDPR Article 6 No. 1 letter a (consent).
Lawyers and their employees are subject to a criminally sanctioned duty of confidentiality pursuant to the Penal Code § 211. All information entrusted to us in connection with an assignment is handled confidentially. We do not disclose personal data in other cases or in ways other than those described in this privacy policy unless the client explicitly requests or consents to this, or the disclosure is required by law.
Personal data processed by us will be stored as long as necessary to fulfill the purpose of the processing. The information may be stored for a longer period if permitted or required by law. Here is an overview of how long we store personal data:
• Client information and information about contact persons at corporate clients are stored as long as the client relationship lasts, and for up to 10 years after the client relationship is terminated.
• Case documents, personal data in case handling, and personal data about the opposing party and other third parties are stored for 10 years after the assignment is completed.
• Information processed to detect and prevent financial crime is stored for five years after the client relationship is terminated or the transaction is completed, unless longer periods are required by law or regulation. The documents and information will be deleted within one year after the retention obligation has ceased.
• Information about visitors to our premises is stored for two months.
• Information about contact persons at our suppliers and partners is stored as long as necessary for the contractual relationship/cooperation, and for up to 10 years after the termination of the agreement/cooperation.
Personal data in connection with marketing, course activities, and newsletter distribution, see section 3.8. Accounting legislation otherwise requires us to store certain accounting documents for a specified period. When a specific purpose requires storage for a given period, we ensure that personal data is used exclusively for the relevant purpose during this period.
Under applicable data protection regulations (GDPR Chapter 3), you have rights that may apply when personal data about you is processed. Your rights may be limited by rules in the GDPR, the Personal Data Act, other legal provisions, or as a result of other circumstances. If you wish to exercise your rights, you can contact the lawyer handling your case.
If the processing with us is based on your consent, you can withdraw the consent at any time. The decision to withdraw consent does not affect the legality of the processing carried out before the consent is withdrawn. Withdrawal of consent also does not affect information that can be processed under another legal basis.
If you have consented to receive newsletters from us, you can withdraw this consent at any time. We have made it easy for you to opt-out of this type of communication by including a link to the unsubscribe form in each communication.
You can request information about the purpose of the processing, the category of personal data registered, who has received or been disclosed the information, how long the information is expected to be stored, and information about the source of the information if obtained from others. You can also request a copy of the personal data processed about you. To ensure that personal data is disclosed to the right person, we may require that the request for access be made in writing or that identity is verified in another way.
Limitations on your right to access and information follow from GDPR Article 14 No. 5 and the Personal Data Act § 16. The right does not apply to information that must be kept confidential for the prevention, investigation, detection, and prosecution of criminal offenses. The right to access and information also does not apply to information that is subject to confidentiality by law or pursuant to law. Exceptions to the information obligation also apply if providing the information is impossible or would involve disproportionate effort.
You can ask us to correct incorrect information we have about you or ask us to delete personal data. The information cannot be deleted if the processing is necessary to fulfill an agreement with you as a client, or if the processing has another legal basis.
In some cases, you may have the right to receive personal data you have provided to us in a machine-readable format to transfer it to another law firm. If technically possible, it may be possible in some cases to have this data transferred directly to the other firm.
You can object to the processing of personal data where the processing is based on consent or is based on a balancing of interests according to GDPR Article 6 No. 1 letter f.
If you believe that we are processing your personal data in violation of applicable data protection regulations or that your rights under the data protection regulations are being violated, you can send a written complaint to the Data Protection Authority, P.O. Box 8177 Dep., 0152 Oslo. The Data Protection Authority's decisions can be appealed to the Privacy Appeals Board.
We have appointed a Data Protection Officer. Before you potentially complain to the Data Protection Authority, you can first send a written inquiry to our Data Protection Officer. See section 8.
We have established procedures to handle personal data securely. The measures are both technical and organizational. We regularly assess the security of all central systems used for handling personal data, and agreements have been made that require suppliers of such systems to ensure satisfactory information security. Access to personal data (and client/case information) is limited to personnel who need access to perform their tasks. We have adopted internal IT guidelines, and we regularly train employees regarding security and the use of IT systems.
We have appointed lawyer Jan Aubert as the Data Protection Officer. You can contact him regarding questions about the processing of your personal data with us. The officer can also answer questions about your data protection rights under applicable data protection regulations. Contact details for our Data Protection Officer: Partner/lawyer Jan Aubert, Law firm Kogstad Lunde & Co DA, P.O. Box 1360 Vika, 0113 Oslo. Email: ja@klco.no
KLCO, April 1, 2022
We may make minor changes to this privacy policy. You will always find the latest version on our website. In the event of significant changes, we will notify you of this.