Processing of personal data at Advokatfirmaet Kyrre ANS

Advokatfirmaet Kyrre is committed to handling personal data in a safe and secure manner and in accordance with the General Data Protection Regulation (GDPR). Personal data is any information or assessment that can be linked to an individual, either directly or indirectly. When you contact us for legal assistance, visit our website or otherwise come into contact with us, we will process personal data about you.

This privacy policy explains what personal data we collect and how we use it, how we protect your personal data, who we share it with, and your rights regarding the processing of your data.

This Privacy Policy applies to our processing of personal data relating to private clients, contact persons at corporate clients, contact persons at our suppliers and partners, individuals involved in cases we assist with, other individuals mentioned in case documents to which we have access, participants in our events, visitors to our website and job applicants.

1. Data Controller

The data controller for the processing of personal data is Advokatfirmaet Kyrre ANS, represented by Managing Director Jakob Chr. Christensen.

Advokatfirmaet Kyrre ANS’ contact information:

• Address: Postboks 1826 Nordnes, 5816 Bergen
• E-mail: firmapost@kyrre-bergen.no
• Phone: +47 - 55 36 20 60
• Organization no.: 985813760

If you have any questions regarding our processing of personal data, please do not hesitate to contact us.

2. Purposes, Types of Personal Data and Legal Basis 

We collect and use your personal data for various purposes, depending on who you are and how we come into contact with you. Below, we provide an overview of the purposes for which we process personal data, the types of personal data we process, and the legal basis for such processing.

2.1 Establishment of a Client Relationship 

Independence check (assessment of conflicts of interest):

When we are contacted by a potential client with a request to undertake an assignment, we use the client's and potential client's contact information to perform an independence check (review of potential conflict of interest). This review serves a legitimate purpose and has a legal basis in GDPR Article 6(1)(f) (balancing of interests).

A conflict check for private individuals typically includes the full name and the subject matter of the case and may also include an assessment of creditworthiness where necessary. A corresponding conflict check on behalf of corporate clients typically does not involve processing of personal data.

In connection with the establishment of a client relationship, we will conduct customer due diligence in accordance with the rules of the Anti-Money Laundering Act. We also collect documentation confirming the client's identity, for example valid identification, as well as documentation confirming the identity of the client's beneficial owners. If the client is a legal entity not registered in a public register, we obtain personal data about the managing director, business manager, owner or equivalent contact person. The customer due diligence is necessary to fulfil our legal obligations under the Anti-Money Laundering Act, cf. GDPR Article 6(1)(c).

If we undertake an assignment, the client's contact information is registered, including name, address, email address and telephone number, as well as payment information. For private clients, the registration of contact information is necessary to enter into and perform the agreement with the client, cf. GDPR Article 6(1)(b). For corporate clients, the registration of contact information is based on a balancing of interests, cf. GDPR Article 6(1)(f), and will also be necessary to enter into and perform an agreement with the company, cf. GDPR Article 6(1)(b).

2.2 Case Handling

When we perform legal assignments and work on cases, we often gain access to and process personal data about parties or other individuals involved in the case. Such personal data may be disclosed in documents that the client transmits or from other correspondence in the case.

The processing for both private clients and corporate clients is based on GDPR Article 6(1)(b) (the processing is necessary to perform the agreement with the data subject). The processing may additionally be based on GDPR Article 6(1)(f) (balancing of interests).

In some cases, we also gain access to sensitive personal data, for example health information or criminal convictions and violations of law. In such cases, the processing of the information is based on GDPR Article 9(2)(f) (the processing is necessary to establish, assert or defend a legal claim), cf. the Personal Data Act § 11. 

2.3 Client Administration

Separate case files are created for assignments performed on behalf of the client. Time and costs incurred in a case are recorded in our accounting system.

Our performance of tasks in connection with client administration is considered for both private clients and corporate clients to be a necessary part of fulfilling the agreement with the client, cf. GDPR Article 6(1)(b).

For corporate clients, this is also considered based on GDPR Article 6(1)(f) (balancing of interests).

In addition, we are subject to legal requirements that require us to process personal data, for example to comply with accounting legislation requirements. This type of processing is based on GDPR Article 6(1)(c).

2.4 Storage and Archiving of Case Documents

We may retain case documents for up to 20 years after the assignment is completed. Storage within the specified timeframe is considered necessary both for the client's benefit and for our own benefit, as questions or disputes may arise later where the information stored in a case may again become relevant. The legal basis for processing the personal data is GDPR Article 6(1)(f) (balancing of interests) and GDPR Article 9(2)(f) (to establish, assert or defend a legal claim), cf. the Personal Data Act § 11.

We are also subject to legal requirements that impose an obligation to retain personal data for a certain period after the case is concluded, for example requirements under the Anti-Money Laundering Act and accounting legislation. Such storage is based on GDPR Article 6(1)(c).

2.5 Invoicing

Contact information for employees or other individuals at corporate clients is used to label invoices for work performed that are sent to the company, if the client requests this. For private clients, the person's private address or email address is used for sending invoices.

The processing is based on GDPR Article 6(1)(b) (the processing is necessary to perform an agreement to which the data subject is a party) for both private clients and corporate clients. In addition, GDPR Article 6(1)(f) (balancing of interests) will also be the processing basis for corporate clients.

2.6 Information About Potential Clients

We process contact information related to potential clients. The processing is based on GDPR Article 6(1)(f) (balancing of interests). We have considered the processing necessary to pursue legitimate commercial interests in our business.

2.7 Knowledge Management

In connection with our knowledge management, for example when reusing documents in later cases, we process personal data that is linked to the relevant case. The processing basis is our interest in making use of developed knowledge in further advice, cf. GDPR Article 6(1)(f) (balancing of interests), which is considered necessary for internal learning processes and to work more efficiently in the best interests of our clients.

2.8 Recruitment

In connection with recruitment, we process personal data that appears from CVs, applications, certificates, diplomas, references, internal evaluations/interview notes, possibly personality tests and aptitude tests. Processing of personal data is based on GDPR Article 6(1)(b) (the processing is necessary to perform an agreement to which the data subject is a party). If we retain application documentation after a recruitment process is completed, this is done on the basis of consent from the person who applied for the position, cf. GDPR Article 6(1)(a).

2.9 IT Operations and Security

Personal data stored in our IT systems may be accessible to us or to our suppliers in connection with system updates, implementation or follow-up of security measures, error correction or other maintenance. The processing is based on GDPR Article 6(1)(f) (balancing of interests, with respect to our legitimate interest in the mentioned activities) and our legal obligation to maintain adequate information security, cf. GDPR Article 32 and Article 6(1)(c). In addition, GDPR Article 6(1)(b) (necessary to perform an agreement with the data subject) will be the processing basis for both private clients and corporate clients.

2.10 Information About Suppliers and Business Partners

We process contact information such as name, telephone number, email address and possibly job title of contact persons at our suppliers and business partners. The processing is based on GDPR Article 6(1)(b) (necessary to perform an agreement with the data subject) and GDPR Article 6(1)(f) (balancing of interests).

2.11 Use of Information Cookies

We use cookies on our websites. Information cookies are small text files that are placed on your computer, tablet or mobile phone when you visit a website.

We use information cookies to log the use of our websites in order to improve the user experience of these. You can prevent information cookies from being stored on your computer by changing the settings in your browser.

You can read more about our use of information cookies below.

3. Who We Share Personal Data With

Lawyers are bound by professional confidentiality with respect to all information they obtain in connection with the practice of law. All information entrusted to us in connection with an assignment is handled confidentially.

We do not disclose your personal data to others unless there is a lawful basis or requirement for such disclosure, for example if legal obligations require us to provide information to opposing parties, courts or public authorities, or if the client explicitly requests or specifically consents to disclosure.

Our IT service providers may have access to personal data that is stored with the provider or is otherwise available to the provider in accordance with our contract with them. Where we use data processors to process personal data on our behalf, we have entered into data processor agreements to ensure information security throughout the processing. The providers act in accordance with such data processor agreements and under our instruction. The providers may only use the personal data for the purposes we have specified and as described in this privacy policy. 

4. Storage and Deletion

We retain your personal data as long as it is necessary for the purpose for which the personal data was collected. Once it is no longer necessary to process the personal data, we will delete it.

• Documentation related to client due diligence and invoicing is retained in accordance with legal requirements under the Anti-Money Laundering Act and accounting legislation.
• Case documents may be retained for up to 20 years after the assignment is completed. In certain cases, we may retain case documents for longer than 20 years if the assignment indicates that there is a need for retention for a longer period, for example in relation to wills, long-term contracts and similar matters.
• Personal data related to events is deleted when it is no longer necessary for the purpose for which it was collected.
• Personal data that we process on the basis of your consent is deleted if you withdraw your consent.
• Personal data that we process in connection with an existing contractual relationship is deleted when the contractual relationship is fulfilled.
• Personal data collected in connection with recruitment is normally retained until the recruitment process is completed. For applicants who are hired after the recruitment process is completed, information relevant to the employment relationship will be retained and processed further in connection with the employment relationship. With the applicant's consent, we retain CVs, applications, certificates and diplomas for up to 2 years for use in new, relevant job advertisements.

5. Your Rights

You have rights with respect to personal data concerning you. Which rights you have depend on the circumstances. You can read more about your rights on the Norwegian Data Protection Authority's website.

To exercise your rights, you must contact us by email or phone. We will respond to your request as soon as possible, and no later than 30 days. We will ask you to confirm your identity or provide additional information to verify your identity. We do this to ensure that we only provide access to your personal data to you and not to anyone impersonating you.

Please note that there may be exceptions and limitations to the rights described above. For example, we cannot disclose personal data if it would be in breach of our duty of confidentiality or delete personal data if we are legally obligated to retain it.

Your rights are described in more detail below:

5.1 Withdraw Consent

If you have consented to processing of personal data, such as retention of application documents for a period after applying for a position with us, you may at any time withdraw your consent with respect to this processing by contacting us.

5.2 Right of Access

You have the right to access information about what personal data we have registered about you, insofar as our duty of confidentiality does not prevent this. To ensure that personal data is provided to the correct person, we may require that requests for access are made in writing or that identity is verified in another way.

5.3 Right to Rectification or Erasure

You can ask us to correct inaccurate information we have about you or ask us to delete personal data. We will, to the extent possible, accommodate a request to delete personal data, but cannot do so if there are overriding reasons not to delete, for example because we must retain the information for documentation purposes.

5.4 Data Portability

In some cases, you may be able to obtain access to personal data you have provided to us to have it transferred in a machine-readable format to you or others, for example another law firm. Where technically possible, you may in some cases be able to have this transferred directly to the other firm.

5.5 Complaint to Supervisory Authorities

If you believe that our processing of personal data is not in accordance with what is described in this privacy policy or that we otherwise violate privacy legislation, you can contact our data controller. If, after contacting or complaining to us, you still believe that our processing of your personal data is not in accordance with privacy legislation, you can file a complaint with the Norwegian Data Protection Authority (Datatilsynet).

6. Security 

We have established technical and organizational measures to ensure that the processing of personal data is carried out in a secure manner and in accordance with applicable law. We regularly assess the security of all central systems used for processing personal data, and agreements have been entered into requiring providers of such systems to ensure adequate information security.

7. Changes to This Privacy Policy

We may make changes to this privacy policy. You will always find our latest version on our website.

8. Contact Us

If you have questions or comments about our privacy policy or if you wish to exercise your rights, you can contact us at firmapost@kyrre-bergen.no

Use of cookies

We use cookies on our website. Cookies are small text files that are stored on your computer, tablet, or mobile phone when you visit a website. The use of cookies is regulated by Section 2-7(b) of the Electronic Communications Act.

We use the Google Analytics analytics tool to collect and analyze information about how visitors use our website and to improve the user experience on the site.

Google Analytics uses cookies and collects information about IP addresses and browser types, the user's location and the time of the visit, which pages the user visits, and the website from which the user arrived. The cookies and the data collected are anonymized, so the statistics cannot be traced back to you as an individual.

The information we receive is subject to Google's privacy policy; see Privacy Policy – Privacy & Terms – Google

Do we use other tools that rely on cookies?

You can prevent cookies from being stored on your device by changing your browser settings. Here, you can block the use of cookies on your device and delete cookies that have already been downloaded.

For more information about cookies and how to manage them, visit https://nettvett.no/slik-administrer-du-informasjonskapsler/