Privacy policy for Brækhus Adovokatfirma AS and BD VAT and Services AS

This privacy policy applies to Brækhus Advokatfirma AS and BD VAT and Tax Services AS. We are the controller in regard to the processing of personal data as described in this privacy policy. You will find our contact information below.

The term controller means the person who determines the purpose of the processing of personal data and the means to be used in such processing. It is the controller who has the overall responsibility for the processing of your personal data.

Our thoughts on privacy: We are a law firm with expertise in privacy-related matters and we are passionate about processing your personal data in a safe and trustworthy manner.

How you share your personal data with us: While contacting us on https://braekhus.no/ or visiting our website www.braekhus.no, using our portal solutions, subscribing to a newsletter, contacting us or becoming a customer of ours, we will collect your personal data. You can read more about our different processing operations and their appurtenant purposes in Clause 3 below.

What a privacy policy is: This privacy policy contains information which you are entitled to receive when we collect personal data about you from our website or as a result of your customer relationship with us. The policy also contains general information on how we process personal data.

The privacy policy is governed by Norwegian law and may be amended from time to time, partly as a result of changes to current privacy legislation or because our services are expanded or changed. We will notify you if this requires a new consent from you.

Why you should read this privacy policy: This privacy policy has been compiled to inform you of your rights, as well as our policies and procedures regarding the processing of your personal data. Please read our privacy policy carefully to get a clear understanding of how we collect, use, protect or otherwise handle your personal data.

How this privacy policy is structured: We have endeavoured to design this privacy policy in a modern and reader-friendly format, so that you don’t have to read all of it to find the answer to your specific question. Please click on any of the topics below to be directed to the relevant information.

GDPR in a nutshell

On May 25, 2018, the General Data Protection Regulation (GDPR) of 27 April 2016 entered into force in most European countries. The GDPR entered into force in Norway on 20 July 2018.

What’s new? While the GDPR is a continuation of age-old European privacy law, it does introduce both new obligations for us and rights for you.

Your rights:

  • Information:  You are entitled to receive information concerning which categories of your personal data that we process (possess?) and how it is processed.
  • Access:  You may request a copy of your personal data that we process.
  • Rectification:  You may require your personal data to be rectified or supplemented.
  • Erasure: You may demand that we erase all of your personal data unless the data is required to provide a service that you still wish to have access to or we are required by law to keep the data for a certain period of time.
  • Restriction:  You may request that we restrict the processing of your personal data.
  • Data portability: You may request to obtain the personal data that you have provided to us or to have said data transferred to a third party in a structured, commonly used and machine-readable format. As a main rule, this right only applies to data that you have provided to us.
  • Objection:  You may object to our use of your personal data for the purpose of direct marketing, including profiling for direct marketing purposes. You may also object to being subject to decision based solely on automated processing, including profiling, which produces legal effects that significantly affects you.

 1.        Who we process personal data about

This privacy policy applies to our processing of personal data about the following categories of persons:

  • Clients in criminal cases
  • Contacts with business clients
  • Contacts with our suppliers and partners
  • Other persons mentioned in case documents that we have access to
  • Owners/residents, employees and board members of building associations
  • Private clients
  • Persons involved in matters where we provide assistance
  • Potential candidates for positions
  • Subscribers to our newsletters
  • Users of the portal solutions on our website
  • Visitors on our website

2.        Personal data

Personal data is information relating to an identified or identifiable natural individual, e.g. by reference to name, address, telephone number and e-mail address. Processing means any use of personal data, such as collection, registration, assembly, storage and transfer.

3.        Purpose, categories of personal data and lawful basis

Below we have provided you with an overview of the purposes for which we typically process personal data, which categories of personal data we typically process and the lawful basis of such processing operations.

3.1       Establishing a customer relationship

When we are contacted by a customer with a request for an assignment, we will check for a conflict of interest internally (conflict check) before we may accept the assignment. This conflict check serves a legitimate purpose and is based on the GDPR Article 6 (1) (f) (legitimate interest). Conflict checks of private customers usually includes full name, the case matter and, if applicable, a credit rating. In general, conflict checks on behalf of business customers will not involve the processing of personal data. In connection with the establishment of a customer relationship, we will also conduct a customer control in accordance with the rules of the Norwegian Money Laundering Act. For this purpose, we utilise passport information (or information from other valid credentials) and we will also be able to conduct database queries. Customer control is required to fulfil our legal obligations pursuant to Sections 4 (2) no. 3, 17 and 18 of the Norwegian Money Laundering Act, cf. the GDPR Article 6 (1) (c).

If we can accept the assignment, we will register your contact information, client/customer name and any contact persons, as well as address, telephone number, email address, nationality and in some cases personal identification number/D number.

The registration of contact details of private customers is necessary in order to enter into an agreement with the customer in question, cf. the GDPR Article 6 (1) (b). For business customers, the registration of contact details serves a legitimate purpose and is based on the GDPR Article 6 (1) (f) (legitimate interest).

3.2       Case/matter handling

Some assignments involve accessing personal data about parties or other individuals affected by a matter. Such data may arise from documents the customer submits or other correspondence in the matter.

Our processing of personal data in connection with assignments for business customers is based on the GDPR Article 6 (1) (f) (legitimate interest).

In some cases, we also recieve access to sensitive personal data, such as health information or information about convictions and offenses. In such cases, processing of the data is based on the GDPR Article 9 (2) (f) when the processing is necessary to determine, enforce or defend a legal claim, cf. Section 11 of the Norwegian Personal Data Act.

3.3       Knowledge management

We may prepare templates based on previous advice in order to further develop our services and streamline our case handling. We will anonymise any personal data contained in such templates, unless the template is prepared for the same customer whom the personal data concerns. As a knowledge-based company, we will also look at similar historic cases when advising.

The lawful basis for this processing operation is our interest in utilising acquired knowledge in future business, cf. the GDPR Article 6 (1) (f) (legitimate interest).

3.4       Customer administration

We create custom case files for assignments performed on behalf of the customer. Time and expense incurred on a case are recorded in our accounting system. For business customers, our processing of personal data in connection with customer administration is performed on the basis of the GDPR Article 6 (1) (f) (legitimate interests), whereas for private customers the processing is considered necessary to fulfil the agreement with that individual, cf. the GDPR Article 6 (1) (b).

3.5       Storage of case documents

We store case documents for 10 years after the assignment has been completed. Storage in the specified time frame is considered necessary both for the sake of the customer and for our own part, as questions or disputes may subsequently arise where information stored on a matter may be relevant.

The lawful basis for processing personal data in this regard is the GDPR Article 6 (1) (f) (legitimate interests) and Article 9 (2) (f) when of processing is necessary to determine, enforce or defend a legal claim, cf. Section 11 of the Norwegian Personal Data Act.

3.6       Invoicing

Contact information received from business customers is used to mark the invoice delivered to the business if the customer requests this.

For private customers, the individual’s private e-mail address is used for delivering invoices. In exceptional cases, postal address per ordinary mail is used instead. The lawful basis is GDPR Article 6 (1) (f) (legitimate interests) for business customers, whereas it is considered necessary for private customers to undertake the above processing in order to fulfil the agreement with that individual, cf. the GDPR Article 6 (1) (b).

3.7       IT and security

Personal data stored in our IT systems may be available to us or to our IT-suppliers in connection with system updates, implementation or follow-up of security measures, correction or other maintenance.

The lawful basis for this type of processing is the GDPR Article 6 (1) (f) (legitimate interests) and our legal obligation to have satisfactory information security, cf. Articles 6 (1) (c) and 32.

3.8       Marketing

We send newsletters to e-mail addresses that are registered to customers who we continuously provide services to and others who have subscribed to our newsletters. Recipients of the newsletters can easily unsubscribe from our newsletters by using a link included in each newsletter.

The lawful basis is the GDPR Article 6 (1) (f) (legitimate interests) where we have received the e-mail address in connection with an assignment. Our legitimate interest is to follow up our customers by providing relevant information about our services as well as relevant news and events, etc. If there is an existing customer relationship, the marketing will take place in accordance with Section 15 (3) of the Norwegian Marketing Act.

In other cases, the lawful basis is the consent of the person concerned, cf. Section 15 (1) of the Norwegian Marketing Act and the GDPR Article 6 (1) (a).

3.9       Property Management

Brækhus Advokatfirma AS acts as property managers, business managers and landlord representatives for several boards and property owners.

In this regard, we process personal data about tenants, owners of owner-occupied units and housing co-operatives, private/professional industry participants and landowners, etc, and relevant stakeholders. We process data about the data subject’s finances and payment ability, as well as contact information.

The lawful basis is the GDPR Article 6 (1) (f) (legitimate interests) for business customers, whereas it is considered necessary for private customers to undertake the above processing in order to fulfil the agreement with that person, cf. the GDPR Article 6 (1) (b).

In the work of private property management we will also be able to process sensitive personal data such as health information. The basis for processing of such personal data is the GDPR Article 9 (2) (a), hereunder that the data subject has expressly consented to the processing of such personal data for one or more specific purposes.

In some cases, the lawful basis will be the GDPR Article 9 (2) (b) if the processing of special categories of personal data is necessary in order for us as a controller or you as a data subject to be able to fulfil obligations and exercise special rights in the field of labour law, social security and employment law where this is permitted under EU law, Norwegian law, or a tariff agreement that provides necessary guarantees for your fundamental rights and interests.

3.10     Recruitment

Brækhus is always on the lookout for new talents. In connection with recruitment, we process CVs, applications, certificates, diplomas, references, internal assessments, and formal and informal notes from interviews, including video footage and images if submitted or uploaded voluntarily. We may also use and store personality tests and ability tests.

Processing of personal data in connection with recruitment is based on the GDPR Article 6 (1) 1b), as processing is necessary to fulfil an agreement to which you are registered as a party or if you have consented to our portal solution, cf. the GDPR Article 6 (1) (a).

If we retain application documentation after a recruitment process has ended, we will obtain your explicit consent as an applicant, cf. the GDPR Article 6 (1) (a). If you are fortunate enough to be employed by Brækhus, you will be governed by a separate employee privacy policy.

3.11     Brækhus Advokat’s portal solution

Brækhus aims to be a leader in technology. As part of strengthening our customer experience, we have developed Brækhus’ portal solution. Here, businesses and individuals can utilise contact forms to effectively communicate with us without the use of email.

The lawful basis is consent up until a customer relationship is established, cf. the GDPR Article 6 (1) (a). Subsequently, the processing will be conducted on the basis of the abovementioned lawful bases for established customer relationships.

3.12     Suppliers and partners

We process personal data in connection with our agreements with suppliers and partners. The personal data processed is contact information and other information deemed necessary to answer requests or to enter into or fulfil agreements, cf. the GDPR Article 6 (1) (f) (legitimate interest).

We also conduct anonymous analyses to improve our services. Such analyses will be conducted using aggregated and anonymised personal data and this information cannot be used to identify you as an individual.

In addition, we may process personal data for purposes other than those mentioned in this privacy policy, but only if they are consistent with the original purpose for which they were processed. This could, for example, be processing by way of retention for accounting purposes, the use of data for innovation projects (which preferably is conducted without the use of personal data), as well as the use of data that may be required if we are involved in a trial or other legal process.

4.        Which categories of personal data we process

While you visit our website, utilise Brækhus’ portal solutions, contact us or establish a customer relationship, we may process your personal data, including, but not limited to,

  • Address
  • Age
  • Birth date/personal identification number/D-number or other information pertaining to identification purposed
  • Case information regarding the individual assignment, such as information pertaining to the customer’s next of kin, employees or partners, opposing parties, witnesses, or other individuals of importance to the assignment.
  • Citizenship
  • CV and cover letter
  • Details concerning your use of our website and services (e.g. your search queries or communication with us).
  • Education, courses and certifications
  • E-mail address
  • Employer
  • Employment contract
  • Gender
  • Information about next of kin
  • Insurance company and policy number
  • Billing information (e.g. account number, payment history, including date and time, amounts charged, debit and credit card information and other related transaction details)
  • Name
  • Ownership information
  • Pictures
  • Position
  • References and internal evaluations
  • Tax percentage and municipality
  • Telephone number

As a general rule, we do not collect sensitive personal data about you (e.g. health information), unless relevant or necessary for the purposes of providing our services to you. In circumstances where we require sensitive personal data from you, we will first seek your consent to collect it. If such data is disclosed, you agree that we may process such sensitive personal data in accordance with this privacy policy for the purposes expressly stated in connection with your disclosure of your personal data.

5.        Who we share personal data with

Attorneys are subject to a duty of strict confidentiality and you rest assured that any data entrusted to us in connection with an assignment is handled confidentially. We co-operate with third parties to administer your use of our website or your customer relationship and to exercise our operations so that we can offer you our services. We may disclose your personal data to individuals or organisations who are our service providers and who are involved in:

  • Accounting services
  • Debt collection
  • Data processing, maintenance, review and development of our business systems, procedures, infrastructure and other IT operations, including testing or upgrading of our computer systems or any other operation which otherwise simplifies our services
  • Marketing, if you explicitly consent to this
  • Recruitment

Our suppliers of IT services, accounting and billing/debt collection will be able to access personal data if stored at the supplier or otherwise available to the supplier under their contract with us.

Suppliers act in accordance with separate data processing agreements and under our instructions. We will obtain the warranties deemed necessary to protect your personal data. The supplier may only use the personal data for the purposes we have determined and described in this privacy policy.

Except as stipulated above, we will not disclose your personal data unless:

  • In accordance with acts of law or regulations enacted through such acts.
  • Where it is necessary to establish or collect monies owing to us.
  • Where required by law or by order or requirement of a court, administrative agency or governmental tribunal.
  • With the consent of the person to whom the data applies

 6.        Storage of personal data

We will generally not retain your personal data any longer than necessary to fulfil the purpose of the processing. During the storage period, we guarantee that personal data is used solely for the purpose in question. In general, this means that the personal data we process will be deleted when:

  • You withdraw your consent, if consent was the lawful basis of the processing of personal data.
  • The agreement and the obligations and rights derived from the agreement are fulfilled.
  • The legal basis determines it (if the processing was necessary in order to fulfil a legal obligation to the authorities). This applies, for example, to accounting and bookkeeping legislation. Below is a more accurate overview of how long we process personal data for different purposes:

7.        Your rights

Due to our processing of your personal data, you have certain rights, including the right to:

  1. Information: You are entitled to receive information concerning which categories of your personal data that we process and how it is processed.
  2. Withdraw consent: If you have consented to receive a newsletter from us, you may withdraw this consent at any time. We have made it possible for you to easily reserve yourself against this type of inquiry by including a link to the unsubscribe form in each newsletter. If you have consented to any other processing of personal data, you may also withdraw your consent at any time for this processing operation by contacting us.
  3. Request access: You may request a copy of the personal data we have about you, so far as this would not impede with our duty of confidentiality.
  4. Request rectification or erasure:  You may ask us to rectify incorrect data we have about you or ask us to erase personal data. We will, as far as possible, accommodate a request to erase personal data, though we may be unable to comply with such a request of there are weighty reasons for not erasing the data, e.g. a duty to store the data for documentation purposes.
  5. Data portability: In some cases, you may be able to obtain the personal data you have provided to us in order to have them transferred in a machine-readable format to yourself or another law firm or other third party. If technically possible, we may in some cases have the data transferred directly to said third party.
  6. Objection: You may object to our use of your personal data for the purpose of direct marketing, including profiling for direct marketing purposes. You may also object to being subject to decision based solely on automated processing, including profiling, which produces legal effects that significantly affects you.
  7. Complaint to supervisory authorities: If you disagree with the way we process your personal data, you may file a complaint with the Data Inspectorate.

Please note that these rights are subject to any restrictions that may be imposed by law. In Norway, the processing of personal data is chiefly regulated by the Personal Data Act, through other legislation such as the Electronic Communications Act, the Marketing Act, the Bookkeeping Act and the Accounting Act also provide guidelines on how such data is to be processed. In order to protect us against false requests for access, we may require sufficient information by you in order to confirm that the person making the request is authorised. If you wish to exercise your rights, please contact us as specified in Clause 13.

8.        Security

Safeguarding your personal data is our highest concern. As such, we endeavour to maintain and employ reasonable measures for the physical, procedural and technical security with respect to the offices and information storage facilities involved with your personal data, so as to prevent any loss, misuse, unauthorised access, disclosure, or modification of your personal data. Your personal data is contained behind secured networks and is only accessible by a limited number of individuals who require access in order to perform their assignments, and are required to keep the personal data confidential. We use computer systems with limited access housed in facilities using physical security measures. We continuously review our data collection, storage and processing practices, including physical security measures, to guard against unauthorised access to our computer systems. All payment transactions are processed through a gateway provider and are not stored or processed on our servers. In addition, all debit and credit card information you supply is encrypted via Secure Socket Layer (SSL) technology. We have adopted internal IT guidelines, and we regularly train our personnel with regard to security and the use of IT systems. In case of any data breach concerning your personal data, we will notify you via email within 4 business days.

  9        International transfer

Your personal data may be transferred to — and maintained on — computers located inside of the European Economic Area and other countries which the European Commission has considered to have an adequacy of protection of personal data on the basis of article 45 of Regulation (EU) 2016/679. Your consent to this privacy policy followed by your disclosure of such personal data represents your agreement to that transfer. You rest assured that we will only transfer personal data to third parties that we consider to have implemented sufficient technical and organisational measures to secure your personal data.

 10.        Third party links

Occasionally, in our sole discretion, we may include or offer third party products or services on our website. We may also have links on our website to other websites that are not under our control. These links are offered for information purposes only and have separate and independent privacy policies.

We encourage you to read the privacy policy of every website you visit. We have no responsibility or liability for the content and activities of these linked websites.

 11.        Cookies

We use cookies on the website. Our use of cookies are governed by our Cookie Policy. We treat information collected by cookies as non-personal data, with the exception of IP addresses or similar identifiers.

We use a tool called “Google Analytics” to collect data about your use of our website. Google Analytics collects data such as how often you visit our website, what pages you visit when you do so, and what other websites you used prior to coming to our website. We use the data we get from Google Analytics only to improve our website. Google Analytics collects only the IP address assigned to you on the date you visit our website, rather than your name or other identifying information. We do not combine the data collected through the use of Google Analytics with personal data. Although Google Analytics plants a permanent cookie on your web browser to identify you as a unique user the next time you visit our website, the cookie cannot be used by anyone but Google. Google’s ability to use and share information collected by Google Analytics about your visits to our website is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. You can prevent Google Analytics from recognising you on return visits to our website by disabling cookies in your browser.

Statistics about users are used in an aggregated form so the statistics do not contain any kind of information that can be linked directly to you as an identified person.

12.        Amendments

We may implement minor changes to this privacy policy. You will always find the latest version on our website. We will notify you in case of material changes.

13.      Contact Us

If you wish to utilise your rights of access, rectification, erasure, restriction, data portability or the right to object to the processing of personal data or if you have questions or requests regarding this privacy policy, our processing or wish to file a complaint, please contact us at:

Brækhus Advokatfirma AS
P.O. box 1369 Vika, 0114 OSLO
E-mail: post@braekhus.no
Telephone: +47 23 23 90 90

BD VAT and Tax Services AS
P.O. box 1369 Vika, 0114 OSLO
E-mail: post@braekhus.no
Telephone: +47 23 23 90 90

We will investigate all complaints and if a complaint is found justified, we will take all reasonable steps to resolve the issue.

You are also entitled to file a complaint to the Data Inspectorate regarding our processing of your personal data. For information on how to contact the Data Inspectorate, visit the Data Inspectorate’s website: www.datatilsynet.no.