Last modified: 04.09.2018 This privacy policy applies to Avocado advokater AS. We are the data controller for the processing of personal data described in this privacy statement. You can find our contact information below. This privacy statement addresses our processing of personal data about the following persons:

• Private customers (natural person)
• Clients in criminal cases
• Contact persons at corporate clients
• Contact persons at our suppliers and partners
• Persons involved in cases we assist in
• Other persons mentioned in case documents we have access to
• Visitors to our website

Purpose, types of personal data and legal basis

Below we have provided an overview of the purposes for which we process personal data, the types of personal data we process and the legal basis for the processing. Establishment of a client relationship: When we are contacted by a client with a request to take on an assignment, we carry out an internal independence check (conflict clarification) before we accept the assignment. The independence check serves a legitimate purpose and is based on Article 6(1)(f) of the GDPR (balancing of interests). Conflict checks of private customers usually include full name, the nature of the matter and, if relevant, creditworthiness. Generally speaking, conflict checks on behalf of business customers will not involve the processing of personal data. In connection with the establishment of a client relationship, we will carry out a customer check in accordance with the rules in the Money Laundering Act: We obtain documentation confirming the client's identity, including full name, photo and national identity number, or D number. If the person does not have a national identity number or D-number, we will obtain identification confirming full name, date of birth. Place of birth, gender, address and citizenship. If the client is a legal entity, we will obtain a company certificate from the Register of Business Enterprises. If the client is a legal entity that is not registered in a public register, we will obtain personal data about the general manager, business manager, proprietor or similar contact person. After the client relationship has been established, the registered information and documentation obtained will be subject to ongoing follow-up for as long as the client relationship continues. Customer control is necessary to fulfil our legal obligations under the Money Laundering Act, cf. GDPR article 6 no. 1 letter c. If we can take on the assignment, contact information is registered. For private customers, the registration of contact information is necessary in order to enter into an agreement with the person concerned, cf. GDPR article 6 no. 1 letter b. For business customers, the registration of contact information is based on a balancing of interests, cf. GDPR article 6 no. 1 letter f.Case management: Some legal assignments involve us gaining access to personal data about parties or other individuals affected by a case. Such information may arise from documents submitted by the client or other correspondence in the case. The processing of personal data in connection with assignments for corporate clients is based on Article 6(1)(f) of the GDPR (balancing of interests). In some cases, we also have access to sensitive personal data, e.g. health information or criminal convictions and offences. In such cases, the processing of the data is based on Article 9 (2) (f) of the GDPR (processing is necessary for the establishment, exercise or defence of legal claims), cf. Section 11 of the Personal Data Act (new 2018).Knowledge management: The legal basis for the processing is our interest in utilising the prepared knowledge in further counselling, cf. GDPR Article 6(1)(f) (balancing of interests). Client administration. Separate case files are created for assignments carried out on behalf of the client. Time and costs incurred on a case are registered in our accounting system. For business customers, what we do in connection with client administration is authorised under GDPR Article 6(1)(f) (balancing of interests), while for private customers it is considered a necessary part of fulfilling the agreement with the person concerned, cf. GDPR Article 6(1)(b).Storage and retention of case documents: We normally store case documents for 10 years after the assignment has been completed. This does not apply to documents that are deposited, such as wills or similar documentation. Storage for the specified period is considered necessary for the sake of both the client and ourselves, as questions or disputes may subsequently arise where the information stored on a case may be relevant again. The legal basis for processing personal data is GDPR article 6 no. 1 letter f (balancing of interests, cf. the legitimate interest stated above) and GDPR article 9 no. 2 letter f (establishing, exercising or defending legal claims), cf. section 11 of the Personal Data Act (new 2018)Invoicing: Contact information received from business customers is used to mark invoices sent to the organisation if the client requests this. For private customers, the person's private postal address is used for sending invoices. The basis for processing is GDPR Article 6(1)(f) (balancing of interests) for business customers and GDPR Article 6(1)(b) (necessary to fulfil the agreement with the data subject) for private customers.IT operations and security: Personal data stored in our IT systems may be accessible to us or to our suppliers in connection with updates of systems, implementation or follow-up of security measures, error correction or other maintenance. The basis for processing is GDPR article 6 no. 1 f (balancing of interests, cf. our legitimate interest related to the aforementioned activities) and our legal obligation to have satisfactory information security, cf. GDPR articles 32 and 6 no. 1 letter c. Marketing: We send out newsletters to email addresses registered on clients to whom we provide legal services on an ongoing basis and others who have requested to receive our newsletter. Recipients of the newsletter can easily unsubscribe from the service by using the link included in each individual enquiry. The basis for processing is Article 6(1)(f) of the GDPR (balancing of interests) where we have received the email address in connection with a legal assignment. If there is an existing customer relationship, marketing will take place in accordance with section 15(3) of the Marketing Control Act. In other contexts, marketing is based on consent from the person concerned, cf. section 15(1) of the Marketing Control Act and Article 6(1)(a) of the GDPR.

Who we share personal data with

Our suppliers of IT services may have access to personal data if personal data is stored with the supplier or is otherwise available to the supplier in accordance with the contract with us. The suppliers act in accordance with the data processing agreement and under our instructions. The supplier may only use the personal data for the purposes we have determined and which are described in this privacy policy. Lawyers are subject to a criminal sanctioned duty of confidentiality pursuant to section 111 of the Penal Code. All information entrusted to us in connection with an assignment is handled confidentially. We do not disclose personal data in cases or in ways other than those described in this privacy statement unless the client explicitly requests or consents to this or the disclosure is required by law.

Storage of personal data

Billing information and personal data related to client control will be stored for the period of time required by statutory requirements, such as bookkeeping legislation and money laundering legislation.

Your rights

You have rights in relation to your personal data. Which rights you have depends on the circumstances. Withdraw consent: If you have consented to receive newsletters from us, you can withdraw this consent at any time. We have made it easy for you to opt out of this type of communication by including a link to an unsubscribe form in each individual communication. If you have consented to other processing of personal data, you may also withdraw your consent to this processing at any time by contacting us to this effect. Request access: You have the right to access the personal data we have registered about you, insofar as the duty of confidentiality does not prevent this. To ensure that personal data is disclosed to the right person, we may require that requests for access are made in writing or that identity is verified in some other way.Request rectification or erasure: You can ask us to correct inaccurate information we hold about you or ask us to delete personal data. We will as far as possible fulfil a request to erase personal data, but we cannot do this if there are compelling reasons for not erasing, for example that we need to store the data for documentation purposes. Data portability: In some cases, you may be entitled to have the personal data you have provided to us transferred in a machine-readable format to another law firm. If it is technically possible, it will in some cases be possible to have the data transferred directly to the other firm. Complaint to the supervisory authority: If you disagree with the way we process your personal data, you may submit a complaint to the Norwegian Data Protection Agency.

Security and safety

We have established procedures to handle personal data in a secure manner. The measures are both technical and organisational in nature. We regularly assess the security of all central systems used for handling personal data, and agreements have been entered into that require suppliers of such systems to ensure satisfactory information security. Access to personal data (and client/case information) is limited to personnel who need access to perform their tasks. We have adopted internal IT guidelines, and we regularly train employees with regard to security and the use of IT systems.

Changes to the privacy policy

We may make minor changes to this privacy policy. You will always find the latest version on our website. In the event of significant changes, we will notify you of this. If you have any questions or comments about our privacy policy or if you wish to exercise your rights, please contact us: Avocado Advokater AS, Fridtjof Nansens plass 4 0160 Oslo, Norway, post@avocado.no Tel: +47 22 98 00 00