Processing of personal data at Ræder Bing advokatfirma AS
1. Who is the data controller
2. When is Ræder Bing the data controller?
As a law firm, we are an independent data controller under the Norwegian Personal Data Act, which incorporates the EU General Data Protection Regulation (GDPR) into Norwegian law. When you are in contact with us, whether as a private client or as a contact person for a corporate client, we process personal data about you. Below, you will find information about the types of personal data we collect, why we do so, and your rights related to the processing of personal data.
3. Processing of personal data – legal basis
We process and use your personal data for various purposes, depending on who you are and how we come into contact with you. We primarily process personal data to provide and perform legal services to clients.
We primarily process personal data based on the contract we enter into with you as our client. In addition, we are subject to various laws and regulations that require us to process personal data in certain ways. Legal obligation is the legal basis when we, as a law firm, carry out mandated duties and rights as lawyers, or when we, as an employer of our staff, perform rights and obligations as required by applicable regulations.
For certain processing, we rely on your consent as the legal basis. You can withdraw your consent at any time, and it will affect any processing that was based on such consent going forward.
Sometimes, we process personal data based on our legitimate interests. In such cases, we have concluded, after a balancing test, that we have a legitimate interest that is lawful, and we have weighed our interest against the privacy impact on the data subjects, concluding that our interest outweighs the processing. As the data subject, you have the right to object to our processing of personal data based on legitimate interest by contacting us.
4. Purpose of our processing of personal data
We process various types of personal data for different purposes:
Establishment and administration of client relationships: In this context, we process contact information, proof of identity, payment details, etc. This processing is based on the agreement we enter into with private clients. For both private clients and corporate clients, the processing is governed by the engagement letter, and thus, it constitutes a contractual obligation for us to process certain personal data in order to fulfill the agreed-upon engagement. Some processing activities may also occur before we have entered into a formal agreement. Additionally, Ræder Bing is subject to legal obligations in connection with the establishment of client relationships, such as the Anti-Money Laundering Act.
Case handling: In connection with case handling, we process personal data that is necessary in relation to the specific case. The processing is based on agreements for private clients and our legal obligations as lawyers, as we are subject to the Lawyers' Regulations and other legislation depending on the specific case, such as the Court Act, the Dispute Act, and the Administrative Procedures Act. In addition to agreements and legal obligations, consent may also serve as a lawful basis for certain additional processing activities that are not covered by the agreement or legal obligation (this will vary from case to case and within each individual case).
Information about opposing parties and other third parties: We process personal data that is necessary in relation to the specific case, both regarding opposing parties and other third parties. This processing is carried out to fulfill the agreement we have with the client, as well as our legal obligations as lawyers. Processing activities encompass the actions necessary to resolve incoming cases as efficiently as possible, in accordance with such obligations under agreements, laws, commercial considerations, and good legal practice. If we process special categories of personal data, the processing is based on legal grounds as per GDPR Article 9 (2) (f), which pertains to establishing, exercising, or defending legal claims, or GDPR Article 9(2)(a) concerning consent.
Criminal judgments and legal violations: The Personal Data Act does not apply to cases processed or decided under the procedural laws (such as the Court Act, the Criminal Procedure Act, the Dispute Act, and the Enforcement Act), and it also does not apply to cases processed under the Police Register Act or the regulation on the processing of personal data in the correctional services. However, we may need to process personal data in situations where the Personal Data Act applies in connection with cases processed under the procedural laws. In such cases, we process personal data that is necessary in relation to the specific case. The processing is carried out to establish, exercise, or defend legal claims.
Real Estate brokerage: Ræder Bing also conducts real estate brokerage for some clients. In such cases, we process personal data about property owners, bidders, and buyers of real estate where Ræder Bing is engaged as an assistant, real estate broker, or responsible for settlements. This work involves processing identification information, financial information, contact information, payment details, and information about bidders, among other things. We process personal data based on an agreement, and in addition to fulfilling the agreement, consent may also serve as the legal basis for processing. Ræder Bing is subject to legal obligations in connection with real estate brokerage, such as those stipulated by the Anti-Money Laundering Act or the Real Estate Brokerage Act, and such processing has a legal obligation as the legal basis
Property management: Ræder Bing acts as a landlord and property manager for several clients. In such cases, we process personal data about tenants, owners of condominiums and cooperative shares, and interested parties. This includes processing identification information, financial information about the data subjects, their payment capability, and contact information. In the course of property management, we may also process special categories of personal data, such as health information. The processing is based on the necessity of processing to fulfill an agreement to which the data subject is a party. Additionally, Ræder Bing is subject to legal obligations, including those outlined in the Anti-Money Laundering Act and accounting legislation. If we process special categories of personal data in connection with property management, we do so because the data subject has given explicit consent for the processing under GDPR Article 9 (2) (a), or because the processing is necessary for the data controller or the data subject to exercise specific rights in the field of labor law, social security, and social protection law under GDPR Article 9 (2) (h).
Storage / Retention of Case Documents: We process personal data that is necessary in relation to the specific case. The processing is carried out based on a legal obligation to archive ongoing and completed cases.
Invoicing: To invoice, we process contact information and payment information. For private clients and corporate clients, we process personal data based on the agreement with the client.
Sending of marketing, newsletters, and other relevant information about our business: We process names and email addresses to send out newsletters and occasionally for other marketing purposes. The processing is based on consent from the recipient of the marketing, in accordance with the Marketing Act § 15. The recipient is usually a private client or a contact person at a corporate client. You can withdraw your consent to receive newsletters from us at any time by contacting us or by clicking on the unsubscribe link in a newsletter you have received. If you do not wish to receive marketing communications, you can send an email to email@example.com.
Information about potential clients: In connection with the potential conclusion of an agreement, we process necessary contact information about individuals relevant to each client, and we are legally obliged to perform certain checks, including anti-money laundering checks. If we wish to mention a client in rankings or in bids or in any other external context, we will ask the individual client for consent for such publication.
Knowledge management (e.g., reuse of documents in later cases): We process personal data in connection with knowledge management based on our legitimate interest. We only process the personal data that is necessary in relation to the specific case. We have assessed that the processing is necessary for internal learning processes and to work more efficiently. Any personal data in documents used for knowledge management will be anonymized as far as practically possible.
Recruitment: In the context of recruitment, we process CVs, applications, certificates, diplomas, references, internal assessments/interview notes, personality tests, and aptitude tests, if applicable. The processing of personal data is based on an agreement with the individual applying for a position with us. If we retain application documentation after a recruitment process is completed, this is done based on consent from the applicant.
Security: or security reasons, we conduct logging on servers, detect, investigate, and follow up on security incidents, and more. The processing is based on a legitimate interest. We have assessed that this processing is necessary to ensure information security and prevent unauthorized access to and disclosure of personal data.
5. Disclosure of personal data to others
We do not disclose or transfer your personal data to others unless there is a legal basis or requirement for such disclosure. Examples of this typically include legal obligations that require us to provide information to opposing parties, courts, or public authorities.
Ræder Bing uses data processors to process personal data on our behalf. In such cases, we have entered into necessary agreements in accordance with applicable data protection regulations to ensure information security and compliance with the content requirements of such agreements at all stages of processing.
We use the following data processors:
- Amesto Norge AS – systems for payment
- Admincontrol AS – Supplier of data room as SaaS
- Bona Mea AS – Supplier of the service BonaMea.com used to store and share documents
- Cvideo AS – Supplier of systems for recruitment
- CVPartner – Supplier of systems for recruitment and CV
- Evry Norge AS – Supplier of systems for eC Trade and EDI
- iManage LLC – Supplier of the cloudservice iManage which is used for case handling and archive (data is stored in iManage’s servers in the Netherlands)
- Intility AS – Management and support of IT-services (storage is on servers within EU/EEA)
- Markedspartner - Supplier of Consultancy services for Hubspot
- Knowit - Supplier of Consultancy services IT / web
- Microsoft Ireland Operations Ltd. – Supplier of Outlook and Teams as well as other standard Microsoft 365 services
- ON Property AS – Supplier of systems for real estate management
- PSA Consulting AS – Supplier of consultancy services for iManage and other systems such as Sysero, Custodian iPaaS, Custodian LEDES and Custodian Smart Templates (PSA does not process any personal data for us in any of these systems) – personal data is process and stored in Microsoft Azure within the EU/EEA.
- Rambøll Management Consulting AS – Supplier of the service PeopleXact
- Regnskap og Eiendom AS – Supplier of systems for payment and accounting
- Simployer Group AS – Supplier of systems for HR
- Visma Real Estate AS – Supplier of the service Webmegler
- Xledger – Supplier of systems for economy
The processing of personal data for which we are the data controller takes place in countries within the EU/EEA. To the extent that a supplier is owned by a company in the USA, such a company in the USA is on the list of approved entities at www.dataprivacyframework.gov/s/participant-search.
Lawyers are subject to a legally binding duty of confidentiality as stipulated in Section 211 of the Penal Code. All information entrusted to us in connection with an assignment is handled confidentially. Regarding contact information and case details as described in this Privacy Statement, these may also be disclosed to counterparties, courts, and supervisory authorities in connection with legal disputes and other legal matters.
We do not disclose personal data in other situations or in other ways than those described in this Privacy Statement unless the client explicitly requests or consents to it or the disclosure is required by law.
If you visit our website, you may consent to receive cookies from us or service providers for each purpose specified in our cookie tool. Non-essential cookies for the functionality of our website will only be activated if you consent to purposes other than "necessary."
6. Storage period
We retain your personal data for as long as necessary for the purpose for which the personal data was collected.
For example, personal data we process based on your consent will be deleted if you withdraw your consent. In some cases, we may need to continue processing personal data due to obligations imposed by law. Personal data that we process to fulfill an agreement with you will be deleted when the agreement is fulfilled, and all obligations arising from the contractual relationship have been fulfilled. Personal data that we process to fulfill a legal obligation from the authorities will be deleted as required by the legal basis. This includes, for example, accounting and accounting rules.
The table below provides an overview of how long we process personal data for various purposes:
Purpose & storage period
- Client administation - Up to 10 years after the conclusion of the case
- Storage/retention of case documents - Up to 10 years after the conclusion of the case
- Invoicing information - Up to 5 years after the end of the fiscal year in which invoicing took place
- Information about potential clients - Up to 5 months after the potential client is registered
- Knowledge management (e.g., reuse of documents in future cases) - Up to 10 years
- Recruitment - Up to 3 months after the application deadline has passed. With the applicant's consent, we store CVs, applications, certificates, and diplomas for up to 3 years for use in our new relevant job advertisements
- Security logs - Up to 1 year
- Back-ups - Up to 3 years
7. Your rights as the data subject
You have several rights as the data subject under GDPR. You have the right to request access to the personal data we process about you and can request a copy of this data. If the personal data we process is incorrect, you can ask us to correct or supplement it. In some cases, you can demand that we delete your personal data. If the conditions in GDPR Article 20 are met for a processing where you are the data subject, you also have the right to data portability.
You also have the right to request restricted processing and, under certain conditions, object to the processing. You can easily withdraw your consent to our processing of personal data for which you have given consent, and this will affect our future processing where consent is a legal basis.
To exercise your rights, you must contact us by email or phone. We will respond to your request as soon as possible, and no later than within 30 days. We will ask you to confirm your identity or provide further information before allowing you to exercise your rights under applicable data protection laws. We do this to ensure that we only provide you with access to your personal data and not to someone pretending to be you.
If there are changes in how we process personal data or in the regulations regarding the processing of personal data, this may result in changes to the information provided here. If we make such changes to this statement, we will notify you, for example, by making updated information available on our website at www.raederbing.no.
9. Contact information for inquiries or complaints
If you have any questions about how we process personal data, you can contact us at firstname.lastname@example.org or by phone at +47 23 27 27 00.
If you believe that your rights as the data subject have been violated, you can lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet). You can find information on how to contact Datatilsynet on their website at www.datatilsynet.no.
If you believe that our processing of personal data does not align with what we have described here or that we are otherwise in violation of data protection laws, we hope that you will first bring the matter to our attention so that we can correct it or clarify if it's a misunderstanding. You can submit a complaint to us by sending an email to email@example.com (please mark the email with "Privacy Complaint" in the subject field).
Want to stay up-to-date?
At Ræder Bing, we are passionate about our fields of expertise and keen to share what we know and learn. Subscribe to our newsletter and stay updated.