The term controller means the person who determines the purpose of the processing of personal data and the means to be used in such processing. It is the controller who has the overall responsibility for the processing of your personal data.
Our thoughts on privacy: We are a law firm with expertise in privacy-related matters and we are passionate about processing your personal data in a safe and trustworthy manner.
How you share your personal data with us: While contacting us on https://braekhus.no/ or visiting our website www.braekhus.no, using our portal solutions, subscribing to a newsletter, contacting us or becoming a customer of ours, we will collect your personal data. You can read more about our different processing operations and their appurtenant purposes in Clause 3 below.
GDPR in a nutshell
On May 25, 2018, the General Data Protection Regulation (GDPR) of 27 April 2016 entered into force in most European countries. The GDPR entered into force in Norway on 20 July 2018.
What’s new? While the GDPR is a continuation of age-old European privacy law, it does introduce both new obligations for us and rights for you.
1. Who we process personal data about
2. Personal data
Personal data is information relating to an identified or identifiable natural individual, e.g. by reference to name, address, telephone number and e-mail address. Processing means any use of personal data, such as collection, registration, assembly, storage and transfer.
3. Purpose, categories of personal data and lawful basis
Below we have provided you with an overview of the purposes for which we typically process personal data, which categories of personal data we typically process and the lawful basis of such processing operations.
3.1 Establishing a customer relationship
When we are contacted by a customer with a request for an assignment, we will check for a conflict of interest internally (conflict check) before we may accept the assignment. This conflict check serves a legitimate purpose and is based on the GDPR Article 6 (1) (f) (legitimate interest). Conflict checks of private customers usually includes full name, the case matter and, if applicable, a credit rating. In general, conflict checks on behalf of business customers will not involve the processing of personal data. In connection with the establishment of a customer relationship, we will also conduct a customer control in accordance with the rules of the Norwegian Money Laundering Act. For this purpose, we utilise passport information (or information from other valid credentials) and we will also be able to conduct database queries. Customer control is required to fulfil our legal obligations pursuant to Sections 4 (2) no. 3, 17 and 18 of the Norwegian Money Laundering Act, cf. the GDPR Article 6 (1) (c).
If we can accept the assignment, we will register your contact information, client/customer name and any contact persons, as well as address, telephone number, email address, nationality and in some cases personal identification number/D number.
The registration of contact details of private customers is necessary in order to enter into an agreement with the customer in question, cf. the GDPR Article 6 (1) (b). For business customers, the registration of contact details serves a legitimate purpose and is based on the GDPR Article 6 (1) (f) (legitimate interest).
3.2 Case/matter handling
Some assignments involve accessing personal data about parties or other individuals affected by a matter. Such data may arise from documents the customer submits or other correspondence in the matter.
Our processing of personal data in connection with assignments for business customers is based on the GDPR Article 6 (1) (f) (legitimate interest).
In some cases, we also recieve access to sensitive personal data, such as health information or information about convictions and offenses. In such cases, processing of the data is based on the GDPR Article 9 (2) (f) when the processing is necessary to determine, enforce or defend a legal claim, cf. Section 11 of the Norwegian Personal Data Act.
3.3 Knowledge management
We may prepare templates based on previous advice in order to further develop our services and streamline our case handling. We will anonymise any personal data contained in such templates, unless the template is prepared for the same customer whom the personal data concerns. As a knowledge-based company, we will also look at similar historic cases when advising.
The lawful basis for this processing operation is our interest in utilising acquired knowledge in future business, cf. the GDPR Article 6 (1) (f) (legitimate interest).
3.4 Customer administration
We create custom case files for assignments performed on behalf of the customer. Time and expense incurred on a case are recorded in our accounting system. For business customers, our processing of personal data in connection with customer administration is performed on the basis of the GDPR Article 6 (1) (f) (legitimate interests), whereas for private customers the processing is considered necessary to fulfil the agreement with that individual, cf. the GDPR Article 6 (1) (b).
3.5 Storage of case documents
We store case documents for 10 years after the assignment has been completed. Storage in the specified time frame is considered necessary both for the sake of the customer and for our own part, as questions or disputes may subsequently arise where information stored on a matter may be relevant.
The lawful basis for processing personal data in this regard is the GDPR Article 6 (1) (f) (legitimate interests) and Article 9 (2) (f) when of processing is necessary to determine, enforce or defend a legal claim, cf. Section 11 of the Norwegian Personal Data Act.
Contact information received from business customers is used to mark the invoice delivered to the business if the customer requests this.
For private customers, the individual’s private e-mail address is used for delivering invoices. In exceptional cases, postal address per ordinary mail is used instead. The lawful basis is GDPR Article 6 (1) (f) (legitimate interests) for business customers, whereas it is considered necessary for private customers to undertake the above processing in order to fulfil the agreement with that individual, cf. the GDPR Article 6 (1) (b).
3.7 IT and security
Personal data stored in our IT systems may be available to us or to our IT-suppliers in connection with system updates, implementation or follow-up of security measures, correction or other maintenance.
The lawful basis for this type of processing is the GDPR Article 6 (1) (f) (legitimate interests) and our legal obligation to have satisfactory information security, cf. Articles 6 (1) (c) and 32.
We send newsletters to e-mail addresses that are registered to customers who we continuously provide services to and others who have subscribed to our newsletters. Recipients of the newsletters can easily unsubscribe from our newsletters by using a link included in each newsletter.
The lawful basis is the GDPR Article 6 (1) (f) (legitimate interests) where we have received the e-mail address in connection with an assignment. Our legitimate interest is to follow up our customers by providing relevant information about our services as well as relevant news and events, etc. If there is an existing customer relationship, the marketing will take place in accordance with Section 15 (3) of the Norwegian Marketing Act.
In other cases, the lawful basis is the consent of the person concerned, cf. Section 15 (1) of the Norwegian Marketing Act and the GDPR Article 6 (1) (a).
3.9 Property Management
Brækhus Advokatfirma DA acts as property managers, business managers and landlord representatives for several boards and property owners.
In this regard, we process personal data about tenants, owners of owner-occupied units and housing co-operatives, private/professional industry participants and landowners, etc, and relevant stakeholders. We process data about the data subject’s finances and payment ability, as well as contact information.
The lawful basis is the GDPR Article 6 (1) (f) (legitimate interests) for business customers, whereas it is considered necessary for private customers to undertake the above processing in order to fulfil the agreement with that person, cf. the GDPR Article 6 (1) (b).
In the work of private property management we will also be able to process sensitive personal data such as health information. The basis for processing of such personal data is the GDPR Article 9 (2) (a), hereunder that the data subject has expressly consented to the processing of such personal data for one or more specific purposes.
In some cases, the lawful basis will be the GDPR Article 9 (2) (b) if the processing of special categories of personal data is necessary in order for us as a controller or you as a data subject to be able to fulfil obligations and exercise special rights in the field of labour law, social security and employment law where this is permitted under EU law, Norwegian law, or a tariff agreement that provides necessary guarantees for your fundamental rights and interests.
Brækhus is always on the lookout for new talents. In connection with recruitment, we process CVs, applications, certificates, diplomas, references, internal assessments, and formal and informal notes from interviews, including video footage and images if submitted or uploaded voluntarily. We may also use and store personality tests and ability tests.
Processing of personal data in connection with recruitment is based on the GDPR Article 6 (1) 1b), as processing is necessary to fulfil an agreement to which you are registered as a party or if you have consented to our portal solution, cf. the GDPR Article 6 (1) (a).
3.11 Brækhus Advokat’s portal solution
Brækhus aims to be a leader in technology. As part of strengthening our customer experience, we have developed Brækhus’ portal solution. Here, businesses and individuals can utilise contact forms to effectively communicate with us without the use of email.
The lawful basis is consent up until a customer relationship is established, cf. the GDPR Article 6 (1) (a). Subsequently, the processing will be conducted on the basis of the abovementioned lawful bases for established customer relationships.
3.12 Suppliers and partners
We process personal data in connection with our agreements with suppliers and partners. The personal data processed is contact information and other information deemed necessary to answer requests or to enter into or fulfil agreements, cf. the GDPR Article 6 (1) (f) (legitimate interest).
We also conduct anonymous analyses to improve our services. Such analyses will be conducted using aggregated and anonymised personal data and this information cannot be used to identify you as an individual.
4. Which categories of personal data we process
While you visit our website, utilise Brækhus’ portal solutions, contact us or establish a customer relationship, we may process your personal data, including, but not limited to,
5. Who we share personal data with
Attorneys are subject to a duty of strict confidentiality and you rest assured that any data entrusted to us in connection with an assignment is handled confidentially. We co-operate with third parties to administer your use of our website or your customer relationship and to exercise our operations so that we can offer you our services. We may disclose your personal data to individuals or organisations who are our service providers and who are involved in:
Our suppliers of IT services, accounting and billing/debt collection will be able to access personal data if stored at the supplier or otherwise available to the supplier under their contract with us.
Except as stipulated above, we will not disclose your personal data unless:
6. Storage of personal data
We will generally not retain your personal data any longer than necessary to fulfil the purpose of the processing. During the storage period, we guarantee that personal data is used solely for the purpose in question. In general, this means that the personal data we process will be deleted when:
7. Your rights
Due to our processing of your personal data, you have certain rights, including the right to:
Please note that these rights are subject to any restrictions that may be imposed by law. In Norway, the processing of personal data is chiefly regulated by the Personal Data Act, through other legislation such as the Electronic Communications Act, the Marketing Act, the Bookkeeping Act and the Accounting Act also provide guidelines on how such data is to be processed. In order to protect us against false requests for access, we may require sufficient information by you in order to confirm that the person making the request is authorised. If you wish to exercise your rights, please contact us as specified in Clause 13.
Safeguarding your personal data is our highest concern. As such, we endeavour to maintain and employ reasonable measures for the physical, procedural and technical security with respect to the offices and information storage facilities involved with your personal data, so as to prevent any loss, misuse, unauthorised access, disclosure, or modification of your personal data. Your personal data is contained behind secured networks and is only accessible by a limited number of individuals who require access in order to perform their assignments, and are required to keep the personal data confidential. We use computer systems with limited access housed in facilities using physical security measures. We continuously review our data collection, storage and processing practices, including physical security measures, to guard against unauthorised access to our computer systems. All payment transactions are processed through a gateway provider and are not stored or processed on our servers. In addition, all debit and credit card information you supply is encrypted via Secure Socket Layer (SSL) technology. We have adopted internal IT guidelines, and we regularly train our personnel with regard to security and the use of IT systems. In case of any data breach concerning your personal data, we will notify you via email within 4 business days.
9 International transfer
10. Third party links
Occasionally, in our sole discretion, we may include or offer third party products or services on our website. We may also have links on our website to other websites that are not under our control. These links are offered for information purposes only and have separate and independent privacy policies.
Statistics about users are used in an aggregated form so the statistics do not contain any kind of information that can be linked directly to you as an identified person.
13. Contact Us
Brækhus Advokatfirma DA
P.O. box 1369 Vika, 0114 OSLO
Telephone: +47 23 23 90 90
BD VAT and Tax Services AS
P.O. box 1369 Vika, 0114 OSLO
Telephone: +47 23 23 90 90
We will investigate all complaints and if a complaint is found justified, we will take all reasonable steps to resolve the issue.
You are also entitled to file a complaint to the Data Inspectorate regarding our processing of your personal data. For information on how to contact the Data Inspectorate, visit the Data Inspectorate’s website: www.datatilsynet.no.