Privacy Statement for Ryger Advokatfirma AS
(hereafter “we” or “us”)
Privacy is the right to a private life and the right to decide over one’s own personal data. Personal data consists of data and assessments that can be linked to an individual.
Ryger Advokatfirma AS (hereafter: Ryger) processes personal data as an employer, as a provider of services, for marketing purposes and in connection with visits to our website and our whistleblowing portal.
Privacy is important for the provision of Ryger’s services and our focus is on protecting the integrity, accessibility and confidentiality of the personal data.
This privacy statement describes how Ryger processes personal data pertaining to existing, previous and potential clients and (possible) opposing parties, as well as employees at Ryger, users of our website, suppliers and other cooperative partners.
In many situations, Ryger acts as the data controller and processes personal data in accordance with the Norwegian Personal Data Act and associated Regulations, as well as the rules in the Norwegian Courts of Justice Act that relate to law firms. We may also act as processor in connection with certain types of projects and assignments. In such an event, this processing will be regulated in an agreement with the data controller undertaking. This agreement will set the framework for Ryger’s processing of personal data.
We are the data controller for the processing of personal data described in this Privacy Statement. You will find our contact details below.
1 Who we process personal data about
This Privacy Statement pertains to our processing of personal data about the following persons:
- Private clients
- Clients in criminal cases
- Contacts for business clients
- Contacts for our suppliers and cooperative partners
- Persons involved in cases we assist with
- Other persons referred to in case documents that we obtain access to
- Visitors to our website
2 Purpose, types of personal data and legal basis
Below we have provided an overview of the purposes for our processing of personal data, the type of personal data we process and the legal basis for this.
Establishing client relationships
- When we are contacted by a client regarding a new assignment, we conduct an internal conflict of interest check before we can accept the assignment. The conflict of interest check serves a legitimate purpose and is based on Article 6 (1) (f) of the General Data Protection Regulation (GDPR) (balancing of interests). Conflict of interest checks of private clients generally include their full name, the subject matter of the case and, if relevant, creditworthiness. Conflict of interest checks on behalf of business clients will not generally involve the processing of personal data.
- In addition to establishing a client relationship, we may be legally obligated to conduct a client check in accordance with the rules in the Norwegian Money Laundering Act, which is thus our legal basis for processing such personal data, cf. cf. Article 6 (1) (c) of the GDPR. This entails that we will collect and register information regarding the identification of private clients and identification of owners, and the persons who act on behalf of our business clients.
- If we can accept the assignment, contact information will be registered, including name, address, e-mail and telephone number of private clients and contact persons for business clients. Registering contact information is necessary for being able to enter into an agreement with private individuals, cf. Article 6 (1) (b) of the GDPR. For business clients, the registration of contact information is based on a balancing of interests, cf. Article 6 (1) (f) of the GDPR.
Case management
- Some legal assignments involve us obtaining access to personal data about parties or other individuals involved in a case. This data may appear in documents the client sends to us or other correspondence in the case. The legal basis for processing personal data in connection with assignments for business clients is Article 6 (1) (f) of the GDPR (balancing of interests).
- In some cases we also obtain access to sensitive personal data, for example, medical information or criminal convictions and offenses. In such cases, the statutory authority for processing the data is Article 9 (2) (f) of the GDPR (processing is necessary for the establishment, exercise or defence of legal claims), cf. Section 11 of the Norwegian Personal Data Act (2018).
Knowledge management
- We use some of the agreements and documents that are drafted in our activities for the purpose of internal knowledge management, which means that documentation may be made available to other employees at the firm. The legal basis for processing this data is our interest in utilizing the knowledge we have acquired in the advice we provide in the future, cf. Article 6 (1) (f) of the GDPR (balancing of interests).
Client management
- Separate case files are created for assignments performed on behalf of the client, and case documentation is stored in our processing system under a separate case number. Time and costs incurred on a case are recorded in our accounting system. For business clients, our actions in connection with client management are based on Article 6 (1) (f) if the GDPR (balancing of interests), while for private clients, this is considered a necessary part of fulfilling the agreement, cf. Article 6 (1) (b) of the GDPR.
Storage and retention of case documents
- We generally store documents for 10 years after the assignment is completed. Storage for this period of time is considered necessary for both us and the client, because questions or disputes may later arise where the information stored could become relevant. The legal basis for processing personal data is Article 6 (1) (f) of the GDPR (balancing of interests, cf. the legitimate interest stated above) and Article 9 (2) (f) of the GDPR (establishment, exercise or defence of legal claims), cf. Section 11 of the Norwegian Personal Data Act (2018).
Use of our website
- We only use data which persons themselves register on our website in connection with the follow-up of user inquiries. The data is not used for any other purpose without specific consent and we also do not disclose the data to other parties. Like most other websites, we use a method in which the information is stored in a “cookie” on your PC. Cookies are primarily used to measure traffic and optimise the service. The legal basis is Article 6 (1) (f) of the GDPR (balancing of interests) and/or Article 6 (1) (b) of the GDPR (processing is necessary for the performance of a contract with the party in question).
Invoicing
- Contact information received from business clients is used to address invoices that are sent to the business, if this is requested by the client. For private clients, the person’s private postal address is used for sending invoices. The legal basis for processing the personal data is Article 6 (1) (f) of the GDPR (balancing of interests) for business clients and Article 6 (1) (b) of the GDPR (necessary for the performance of a contract to which the data subject is party) for private clients.
IT Operations and Security
- Personal data stored in our IT systems may be available to us or to our suppliers in connection with system updates, implementation or follow-up of security measures, error correction or other maintenance. The legal basis for processing is Article 6 (1) (f) of the GDPR (balancing of interests, cf. our legitimate interest to conduct these activities) and our legal obligation to have satisfactory information security, cf. Articles 32 and 6 (1) (c) of the GDPR.
Marketing
- We send newsletters to e-mail addresses registered for clients who we continuously provide legal services to and others who have requested to receive our newsletter. Recipients of the newsletter can easily stop the service by using the link included in each inquiry. The legal basis for processing is Article 6 (1) (f) of the GDPR (balancing of interests) when we have received the e-mail address in connection with a legal assignment or both we and the client have a legitimate interest in us sending out relevant updates and changes to clients and other interested parties. If there is an existing customer relationship, the marketing will take place in accordance with Section 15 (3) of the Norwegian Marketing Act. In other contexts, marketing is based on the consent of the concerned party, cf. Section 15 (1) of the Norwegian Marketing Act and Article 6 (1) (a) of the GDPR
Suppliers and cooperative partners
- In certain instances, Ryger will process personal data about suppliers and other cooperative partners. This primarily concerns data such as the name of the contact person, e-mail, telephone number and address. This data is processed to the extent necessary for administering the contractual arrangement and for compliance with the agreement, cf. Article 6 (1) (b) of the GDPR.
Human resources
- Personal data processed in connection with this includes personal details, pay information, evaluations, information regarding next-of-kin and qualifications/position. This data is processed to the extent necessary for administering the employment arrangement and for compliance with the employment agreement, cf. Article 6 (1) (b) of the GDPR. In some instances, the legal basis may be Article 6 (1) (f) of the GDPR (balancing of interests) and Article 9 (2) (f) of the GDPR (establishment, exercise or defence of legal claims).
3 Who we share personal data with
Our IT service providers may have access to personal data if personal data is stored at the provider or is otherwise available to the provider in accordance with their contract with us. In instances such as this, providers will act in accordance with the data processing agreement and under our instructions. The provider may only use the personal data for the purposes we have determined and as described in this Privacy Statement.
Lawyers are subject to a criminally sanctioned duty of confidentiality pursuant to Section 111 of the Norwegian General Civil Penal Code. All data entrusted to us in connection with an assignment is handled confidentially.
We will not disclose personal data in other circumstances or by other means to those described in this Privacy Statement unless the client explicitly requests or agrees to this, or disclosure is required by law.
4 Storing of personal data
We generally store case documents for ten years. Accounting laws otherwise require us to store specific accounting documents for a specified period. When a particular purpose dictates storage for a given period, we ensure that the personal data is used solely for that purpose during this period of time.
5 Your rights
You have certain rights regarding the personal data that pertains to you. The rights you may have will depend on the circumstances.
Withdraw consent
- You may withdraw your consent to receive newsletters at any time. We have made it possible for you to easily opt-out of this type of inquiry by including a link to the unsubscribe form in each inquiry. If you have consented to other processing of personal data, you may also withdraw your consent at any time by sending a request to us.
Request access
- Provided that the duty of confidentially does not prevent this, you have the right to access the personal data we have registered about you. To ensure that personal data is disclosed to the correct person, we may require a written request for access or that identity is verified by other means.
Request correction or deletion
- You can submit a request for us to correct incorrect data we have about you or request that we delete personal data. We will, insofar as possible, accommodate requests to delete personal data, however we cannot do so if there are compelling grounds for not deleting this data, for example, we need to store the data for documentation purposes.
Data portability
- In some instances, you may be entitled to the disclosure of personal data you have provided to us in order to have this transferred in a machine-readable format to another law firm. If technically possible, you will be entitled in some cases to have this transferred directly to the other firm.
Complaints to the supervisory authority
- If you disagree with the manner in which we process your personal data, you can file a complaint with the Norwegian Data Protection Authority.
6 Security
We have established procedures to securely manage personal data. These measures are of both a technical and organizational nature. We conduct regular assessments of the security of all key systems used for the processing of personal data, and agreements have been entered into that require providers of such systems to provide adequate information security. Access to personal data (and client/case information) is restricted to personnel who require access in order to perform their tasks.
We have adopted internal IT guidelines, and employees regularly receive training in security and use of IT systems.
7 Amendments to the Privacy Statement
We may make minor amendments to this Privacy Statement. You will always find the latest version on our website. We will provide notice in the event of any significant amendments.
8 Contact us
If you have any questions or comments regarding our Privacy Statement or wish to exercise your rights, you are welcome to contact us at:
Ryger Advokatfirma AS
Postboks 54 Kronstad
5819 BERGEN
NORWAY
post@ryger.no
+47 55 69 99 50
9. Organisation and responsibility
The managing director at Ryger has primary responsibility for Ryger’s processing of personal data. Responsibility for the day-to-day follow-up of Ryger’s compliance with privacy regulations has been delegated to the data protection coordinator.