1. Roles and responsibility
Advokatfirmaet Simonsen Vogt Wiig AS (comprising the offices in Oslo, Bergen, Stavanger and Tromsø), Simonsen Vogt Wiig Kristiansand DA, Advokatfirmaet Simonsen Vogt Wiig Trondheim AS and Simonsen Vogt Wiig Services Pte. Ltd. Singapore are independent data controllers for processing of personal data for the purposes described in this privacy statement.
In this privacy statement, the companies are jointly referred to as «SVW».
2. What is personal data?
Personal data is information and assessments regarding an individual, and includes for example most e-mail addresses and telephone numbers. Personal data may also be sensitive information, such as information about a person’s health condition. SVW is concerned with protecting the privacy of our clients and others involved in a responsible way. Should you have any questions regarding how we handle personal data, you may send an enquiry to firstname.lastname@example.org, or, if you are a client, you can contact the lawyer in charge directly.
3. Purposes, types of information and legal basis
Below, we have listed the purposes for which we will process personal data, the legal basis for the processing and the types of information comprised:
- Establishing a client relationship: When a client establishes contact with us, requesting us to take on an assignment, we will make an internal independence control (conflict check) before accepting the assignment. The independence control serves a legitimate purpose that does not seem to imply any significant disadvantages for the client with regard to data protection, and may be based on GDPR Article 6 (1) (f) (balancing of interests). We add that a conflict check on behalf of business clients will not involve processing of personal data.In connection with establishing a client relationship, we must also carry out a customer due diligence in accordance with the Money Laundering Act. The customer due diligence is necessary for the compliance with a legal obligation, cf. GDPR Article 6 (1) (c) (see also the Money Laundering Act Section 23).
If we can take on the assignment, we will register the company information (such as name, organisation number, address and credit rating) and e-mail address, phone number and the title of contact person(s) in the company. For private clients, we will also register date of birth and in some cases the result of a credit rating. The registration of contact information for private clients is necessary for the performance of a contract to which the client is party, cf. GDPR Article 6 (1) (b). For business clients the registration of contact information is based on a balancing of interests, cf. GDPR Article 6 (1) (f).
- Case management: The contact information about the client and the client’s representative(s) will be used in the communication with the client. Some assignments require access to personal data regarding parties or other individuals involved in that case. Such information may be found in documents that the client sends us or any other correspondence of relevance to the case. In most cases, however, we process a minimal amount of personal data. Data processing in connection with assignments for business clients is based on GDPR Article 6 (1) (f) (balancing of interests).When providing legal services to individual in connection with an action for personal injury, we may receive health information directly from the client or from his/her doctor/therapist/insurance company, etc., as authorised by the client. The processing of health information will in these cases be a necessary part of the assignment, and is governed by GDPR Article 9 (2) (f) (processing is necessary for the establishment, exercise or defence of legal claims), cf. the Personal Data Act of 15 June 2018 Section 11.
- Client administration: Each client will have their own file in our processing system and separate files will be established for each assignment for the client. Time and costs incurred in connection with the case will be registered in our accounting system. For business clients, our client administration is based on GDPR Article 6 (1) (f) (balancing of interests), whereas for private clients, it is considered to be necessary for the performance of a contract with the individual, cf. GDPR Article 6 (1) (b).
- Filing/storage of case documents: We store case documents in our processing systems for as long as we have an ongoing case. Then the documents will be transferred to a file where they will be stored for 10 years after completion of the assignment. Storage in the said time span is considered necessary for both the client and us, as questions may arise where the information stored could be of relevance. With regard to personal data stored with these cases, there might be several legal bases for processing, including GDPR Article 6 (1) (f) (balancing of interests) and GDPR Article 9 (2) (f) (processing is necessary for the establishment, exercise or defence of legal claims), cf. the Personal Data Act of 15 June 2018 Section 11.
- Storage of fiduciary property (client funds): As part of an assignment for a client, we may be asked to store or manage funds on behalf of the client. Client funds are any monetary means entrusted to SVW, including advance payments of expenses and fees. Client funds are also securities of any kind, including bonds, mortgage bonds, debentures and other valuables a lawyer receives for storage or management. In some cases, we will establish a separate bank account on behalf of the client.Normally, we will not process much personal data in this respect, as we will mainly handle funds on behalf of business clients. Processing of personal data especially occurs when we handle private-law securities such as marriage settlements, testaments, debentures, deeds and contracts between private individuals. SVW has established routines for the handling of fiduciary property. The legal basis for data processing for this purpose is GDPR Article 6 (1) (b) (processing is necessary in order to take steps at the request of the client).
- IT operation and security: Personal data stored in our IT systems will be available to us or our contractors in connection with system updates, implementation or following up on security measures, error recovery or other maintenance. The legal basis for the processing is GDPR Article 6 (1) (c), cf. GDPR Articles 32 and 6 (1) (f) (balancing of interests).
- Knowledge management: We might reuse documents that we have drawn up for the client in connection with other assignments or other internal knowledge management. There will normally be no personal data in reused documents, but if that is the case, the data will be duly anonymised before being used for other purposes. The legal basis for the processing is GDPR Article 6 (1) (f) (balancing of interests) in the event there are personal data in the documents that will be reused.
- Invoicing and accounting: Contact information received from business clients is used to mark invoices sent to the company. For private clients, we will use the individual’s private postal address for invoicing. The legal basis for the processing is GDPR Article 6 (1) (f) (balancing of interests) for business clients and GDPR Article 6 (1) (b) (processing is necessary in order to take steps at the request of the client) for private clients.
- Marketing: We will send newsletters to e-mail addresses registered on clients to whom we currently provide services and others who have requested to receive newsletters from us. Recipients of the newsletter may easily unsubscribe from the service by using the link included in each communication. The basis for the processing is GDPR Article 6 (1) (f) (balancing of interest) where we have received the e-mail address in connection with an assignment and the Marketing Act Section 15 (3) allows for using the e-mail address for marketing. In other instances, the marketing is based on consent from the individual, cf. GDPR Article 6 (1) (a).
4. Access to personal data
Client information and documents are stored on a joint document handling system for Advokatfirmaet Simonsen Vogt Wiig AS, Advokatfirmaet Simonsen Vogt Wiig Kristiansand DA, Advokatfirmaet Simonsen Vogt Wiig Trondheim AS and Simonsen Vogt Wiig Services Pte. Ltd. Singapore and their lawyers and employees. Advokatfirmaet Simonsen Vogt Wiig AS and the other companies have entered into a data processing agreement that governs the access, in addition to an agreement with our office in Singapore on transfer of personal data that obliges the company to comply with Norwegian personal data legislation when using joint IT systems.
Our IT service providers might have access to personal data if the personal data are stored with the contractor or otherwise made available to the contractor based on the contract with us. The contractors act in accordance with the data processing agreement and our instructions. The contractor may only use the personal data for the purposes determined by us and as described in this privacy statement.
We will not disclose personal data in other situations or in any other ways than described in this privacy statement unless the client explicitly requests so or consents to this.
We are consciously safeguarding our professional secrecy. (Lawyers are bound by a statutory duty of confidentiality subject to penal sanctions under Section 111 of the Criminal Code.) All information confided to us in connection with an assignment is confidential.
5. Security of processing
We have established routines for secure processing of personal data and client information in general. The measures are of a technical, formal (subject to contract) and organisational nature. We regularly assess the security of all central systems used for the data processing, and we have concluded contracts that instruct contractors of such system to ensure satisfactory information security.
Access to personal data and case information in general is limited to personnel that need such access in order to perform their work. We have access management mechanisms that are used to protect certain cases so that they are only available to persons actively working on the case in question.
We have adopted IT guidelines that our employees shall comply with when they use our IT systems, and the guidelines are available on our intranet, and our employees are regularly trained with regard to security and using of IT systems.
We will delete personal data when it is no longer need to store the data for the purposes for which it was collected, see chapter 3. Due to the character of the services we provide, however, we will need to store case documents for a relatively long period after completion of an assignment.
When a case has been completed, all electronic case documents are transferred to an archive. When the case documents have been stored for 10 years, the access to the documents will be limited. Only personnel with special system rights may access the documents when access has been limited. Case documents in paper format will be transferred to a backup archive when the case is closed for ten years.
Moreover, accounting legislation requires us to store certain accounting documents for a stipulated period. When certain purposes imply storage for a particular period, we will ensure that the personal data is used solely for the relevant purpose during this period.
7. Your rights
We appreciate your feedback. Below you will find which rights you have at any time, and you may assert them by contacting us on email@example.com, or if you are a client of us, by contacting the lawyer in charge directly:
- Withdrawal of consent: If you have consented to receiving our newsletters, you may at any time withdraw this consent. We have arranged for an easy way to opt-out of this kind of enquiry by including a link to a deregistration form in each communication. If you have consented to other data processing, you may at any time withdraw your consent with regard to that processing by directing an enquiry to us.
- Request access: You are entitled to access the personal data we have registered about you, unless professional secrecy impedes this. In order to ensure that personal data is delivered to the right person, we may request that an access requires is provided in writing or that your identity is otherwise verified.
- Request rectification or deletion: You may request that we correct incorrect information that we have about you or ask us to delete personal data. We will to the extent possible comply with a request to delete personal data, but we cannot do that if there are important reasons for not deleting them, e.g. that we have to store the information for documentation purposes.
- Data portability: In some cases you have the right to request a copy of personal data that you have provided to us in order to transfer the data to another law firm, etc. If it is technically feasible, such data can be transferred directly to the other company
- Complain to supervisory authorities: If you disagree with the way in which we process your personal data, you may lodge a complaint with the Norwegian Data Protection Authority. We hope you choose to direct an enquiry to us first.
These are the cookies used on our sites:
- Episerver: Episerver is our publishing system and uses the cookie ASP.NET_SeccionId for remembering the choices you make when you visit our sites.
If you do not want the cookies to be stored, you may alter the settings in your browser. You may also delete existing cookies. If you choose to delete or not accept cookies, you may experience a reduced functionality on our website.
We might make minor changes in this privacy statement. The latest version will always be available on svw.no. In cases of material changes, we will provide a notice of this.