Personal data and privacy policy

We take the protection of your personal data seriously

DreistStorgaard Advokater A/S (“DS”) is responsible for compliance with applicable legislation, including the EU general data protection regulation (the “GDPR”) and the Danish Act on the Processing of Personal Data.

DS has adopted this personal data and privacy policy which applies to the law firm in connection with the processing of personal data.

The personal data and privacy policy contains a description of how we process personal data about our clients and other parties about whom we handle personal data as part of our case management or to fulfil other purposes.

In addition, reference is made to our cookie policy https://dreiststorgaard.dk/cookie-politik/, which applies to collection of personal data in connection with the use of the website https://www.dreiststorgaard.dk/en with sub-pages.

To protect your personal data in the best possible way, we assess on an ongoing basis how large the risk is that our data processing impacts your basis rights adversely. In particular, we are aware of the risk that you are exposed to discrimination or identity theft – or suffer financial losses, loss of reputation or data confidentiality.

We are data controllers (but in some cases we can be data processors)

When we process personal data about clients and other parties as an element of the operations of the law firm, we are most often considered data controllers, whereas in few situations we are data processors, which i.e. is the case in relation to our property management clients. Whether we are data controllers or data processors depends on the specific situation. Below, we have stated the typical situations based on our relations to you.

Processing of personal data about you as a client as part of the handling of a case:

When we handle personal data about you or for you as a client – including contact information of your employees etc. – we do it to solve a legal task that you have asked us to assist you with.

As lawyers we most often work independently and i.a. assess if there is any basis for collecting and processing personal data, which personal data is necessary and relevant and for how long the personal data should be stored. In addition, being lawyers we are subject to a number of other rules in our case handling, including the Code of Conduct for the Danish Bar and Law Society, the Danish Administration of Justice Act etc. which impose on us a number of obligations, e.g. the duty to make an independent assessment of the procedure in a case – non-related to your opinion as a client.

We are thus under an obligation to act independently in connection with a number of decisions concerning your (and any other parties’) personal data, for which reason we will be considered data controllers in most types of cases.

When we are data controllers in relation to your personal data, it means that we must ensure compliance with the rights you have under the personal data legislation (see the section “Your rights“).

In connection with certain types of cases, e.g. property management, we may, as mentioned above, be considered data processors in the circumstances if we act according to detailed instructions from our client (e.g. the owners’ association). DS will inform the client if we assess being data processors, to the effect that we can enter into a data processing agreement and conclude a detailed agreement about any assistance, in compliance with the data controller’s duties, including e.g. the preparation of privacy policies for the client’s customers/contracting parties..

Processing of personal data for you as a client as an element of other purposes than the handling of a case:

When we process personal data about our clients or the owners/managers of our clients (where the client is a company) as part of other purposes than the handling of a case for the client, we are also data controllers.

Such other purposes may e.g. be the handling of your personal data for complying with our duty to obtain identification etc. to meet the money-laundering legislation or storage of your contact data in a customer database.

In these situations, when we are data controllers in relation to your personal data, it means that we must ensure compliance with the rights you have under the personal data legislation (see the section “Your rights“).

Processing of personal data for other parties than clients in connection with the handling of a case:

In connection with the handling of a case for our clients there will be situations where we must handle personal data about other parties with relations to the client or the case, e.g. employees, collaborative partners, contracting parties, customers, opponents etc. To such parties, we are most often data controllers.

That means that we must ensure compliance with the data subject’s rights under the personal data legislation (see the section “Your rights“).

Processing of personal data as part of a job application:

DS handles job applications in connection with the recruitment of new employees, and in that connection DS is data controller of the personal data which you provide in your application with appendices.

As the data controller of personal data in a job application and otherwise employment relations, we must ensure compliance with the rights that you have according to the personal data legislation (see the section “Your rights“). We have prepared a personal data policy for recruitment which you can see at the following link:  https://dreiststorgaard.dk/karriere/ledige-stillinger/dreiststorgaard-advokater-a-s-persondatapolitik-ved-rekruttering/

Contact information in the case of questions about DS’s handling of personal data

DS is responsible for the personal data processed in connection with specific client relations and cases. You may always contact DS’s personal data officer at persondata@dreiststorgaard.dk

DS’ other contact information:

DreistStorgaard Advokater A/S
CVR no. 32300456
Bag Haverne 32-50
4600 Køge
Telephone: +45 56634466

You must also use this e-mail address if you want access to which information DS processes about you.

We ensure fair and transparent data processing
When we ask you to make your personal data available to us, we inform you which data about you we process and for what purpose. You receive information about this at the time when your personal data is collected.

If we obtain data about you from others, e.g. a supplier, authority or collaborative partner, we inform you thereof no later than 30 days after we have obtained your personal data – but usually faster. We also inform you about the purpose of the collection and the legal basis that gives us access to obtain your personal data.

If you are e.g. an opposite party to or a witness in a case that we handle on behalf of a client, there may however be situations where, as a result of our duty of confidentiality, we are not required to comply with the duty of disclosure or must not comply with it until at a later time when the duty of confidentiality no longer prevents the compliance with the duty of disclosure.

PROCESSING OF PERSONAL DATA

We use the personal data that is necessary and relevant to the handling of the specific task or case. Depending of the nature of the task/case, the data we use may include:

General personal data
General personal data may e.g. be information about name, address and further contact information, information about financial matters, family matters etc. The nature of the information we collect depends on the nature of the task.

Unless we agree otherwise with our client, general personal data can be exchanged with the client and relevant third parties by using e-mails without encryption.

Civil Registration System numbers (“CPR numbers”)
In a number of contexts, we have to process CPR numbers, e.g. in case of transactions in real property, land registration processing, incorporation of companies, other company changes (e.g. registration of management etc.).

Further, according to the money-laundering legislation applicable to lawyers, we are obliged to obtain identification information with CPR numbers for personal clients or the personal owners of company clients.

In the event of exchange of documents containing CPR numbers by e-mail, we will to the extent possible use encrypted e-mails, and we urge clients and third parties to do the same. If you are unable to send encrypted e-mails, it is recommended that you agree to another procedure with the said responsible employee handling your case with DS.

Sensitive information
In certain cases, it is relevant to process sensitive personal data, including health information, genetic and biometric data, information about racial/ethnic origin, political opinions, religion or philosophical beliefs, data concerning sex life, information about trade union membership, and data on criminal convictions and offences.

Sensitive information is processed with special confidentiality and will not be exchanged by e-mail unless encryption or other form of secure communication is used.

We collect and store your personal data for specific purposes
We collect and store personal data in connection with specific purposes in connection with the handling of cases for our clients or as part of our own business purposes.

The typical situations are such in which we:

  • process personal data to safeguard the interest of our client in connection with a specific case or task,
  • obtain identity information etc. for the purpose of complying with the money-laundering legislation, or
  • store and use contact data in a CRM system for the purpose of marketing similar services which we assess are relevant in relation to the client and to submit electronic newsletters where we have your consent.

We only process relevant and necessary personal data

We only process personal data about you that are relevant and adequate in relation to the purposes defined above. Thus, we do not use other personal data than data we need for the specific purpose.

Further, we only process the personal data that is necessary in relation to complying with our determined purposes.

It may be determined by legislation, which type of personal data is necessary to collect and store for our business operation. The type and extent of the personal data processed by us can also be necessary to perform an agreement or other legal obligation resting with us under the legislation.

For the purpose of ensuring that we only process relevant and necessary personal data for each of our specific purposes, we use IT solutions that contribute to ensuring that only the quantity of data is collected which is necessary. It is also ensured via internal guidelines that the extent of the processing is not unnecessarily large and that the storage period is not too long.

To protect you from third parties having access to your personal data, we use IT solutions which ensure that personal data is only accessible to relevant employees.

We check and update your personal data

We check that the personal data that we process about you is not incorrect or misleading. We also ensure the ongoing updating of your personal data.

As our service depends on your personal data being correct and updated, we ask you to inform us of relevant changes to your personal data. You can contact the relevant lawyer or use the contact information above to inform us of your changes.

To ensure the quality of your personal data, we have adopted internal rules and laid down procedures for control and updating of your personal data.

We delete your personal data when it is no longer needed

We delete your personal data when it is no longer needed in relation to the purpose that formed the basis of our collection, processing and storage of the said personal data.

This entails e.g. that we delete identity information about clients collected under the Danish Anti-Money Laundering Act, five years after the termination of the client relationship, see the rules of the Danish Anti-Money Laundering Act to that effect. Personal data obtained in connection with the handling of specific cases or tasks will be stored for an appropriate period after the finalisation of the case, which we are obliged to according to the ethical rules. This will usually be at least five years.

In a number of cases, there is a basis for storing case information for a longer period, but rarely for more than 10 years. Certain basic information is, however, stored for an indefinite period of time in order to be able to uncover any conflicts of interest, see the ethical rules. DS has adopted its own rules for storage and deletion of cases.

We always have a legal basis for processing your personal data

When we process your personal data in connection with case processing, we ensure that we always have a legal basis for processing your information.

Most often, we process your information based on our agreement to assist you with a case and our legitimate interest in processing your personal data.

In particular, it should be emphasised that we often have the possibility of processing personal data because it is necessary to perform a legal obligation resting with us, e.g. the anti-money laundering legislation.

In certain cases we must obtain your consent before we process your personal data, e.g. in connection with the processing of sensitive personal data. However, it is not necessary to obtain consent in connection with the handling of disputes, including assessment, institution and conduct of legal proceedings where we have the possibility of processing personal data of any kind – including sensitive personal data – where required to establish, make or defend a legal claim.

Any consent is voluntary, and you may always withdraw it by contacting us.

Please use the contact information above if you want further information.

If we want to use your personal data for any other purpose than the original one, we inform you of the new purpose and – if necessary – we ask for your consent before we commence the data processing. If we have any other legal basis for the new processing, we will inform you thereof.

We do not disclose your personal data without a lawful basis

We always ensure that there is a legal basis before we disclose your personal data to a third party.

If we disclose your personal data to business partners and players, i.a. for the purpose of marketing, we obtain your consent in advance and inform you what your personal data is used for. You can always object to this form of disclosure, and you can also decline communication for marketing purposes in the central national register or by informing us thereof. Marketing by e-mail always requires your consent.

In connection with the processing of a case no consent is required for disclosing the client’s information to e.g. the court or the opposing party when it is done as part of the performance of our agreement on assistance or for the purpose of establishing, making or defending a legal claim.

We do not obtain your consent if we are legally obliged to disclose your personal data, e.g. as part of reporting to an authority. This also applies to the disclosure of identification information of clients and potential clients in connection with a check of any conflicts of interest in cases that involve a number of DS’s physical offices. We obtain your consent before we disclose your personal data to recipients in third countries, i.e. countries outside the EU/EEA area. If we disclose your personal data to business partners in third countries, we are certain that their level of personal data protection corresponds with the requirements we have set out in this policy under applicable legislation. We make requirements for i.a. the processing of personal data, information security and the compliance with the rights you have in relation to e.g. object to profiling and filing a complaint with the Danish Data Protection Agency.

It is noted that disclosure of personal data to third countries is only relevant in connection with specific tasks. To the extent that the law firm generally stores client and case information with an external business partner (cloud solution), we will use only business partners within the EU/EEA that provide us with appropriate security that personal data is not stored in third countries.

SECURITY

We protect your personal data and have internal rules on information security

We have adopted internal rules on information security that contain instructions and measures protecting your personal data from becoming destroyed, lost or changed, against unauthorised publication and against third parties having access to or knowledge of it.

We have established procedures for granting access rights to those of our employees who process sensitive personal data and personal data that uncovers information about personal interests and data which is otherwise considered confidential. We check the actual access through supervision. In order to avoid loss of data, we make backup of our data sets on an ongoing basis.

In case of security breaches that entail a high risk for you of discrimination, identity theft, financial loss, loss of reputation or other material nuisance, we will inform you of the security breach as soon as possible and under the rules set out in the legislation.

If the law firm uses an external business partner to store personal data (cloud solution), we ensure that a data processing agreement has been entered into and that the said business partner has adequate security procedures, and that compliance thereof is audited on an ongoing basis, e.g. by reporting of IT suppliers that maintain a relevant ISO certification on IT and information security.

PERSONAL DATA AT WWW.DREISTSTORGAARD.DK

Electronic newsletters

We collect personal information about you when you sign up for our electronic newsletters through forms at  www.dreiststorgaard.dk.

Use of contact forms at www.dreiststorgaard.dk

Processing of personal data and digital communication
We handle your personal data confidentially so that your information does not become known by third parties, e.g. when you enter information through the contact forms on the website.

Digital communication via contact forms at www.dreiststorgaard.dk
You should never send personal and confidential information or sensitive data through our contact forms on the website.

Contact forms, including pop-up forms at www.dreiststorgaard.dk
When contact forms on our website are used, we treat your personal data confidentially and in compliance with the Danish Act on the Processing of Personal Data and EU’s General Data Protection Regulation.

Provision of name, e-mail address and telephone number
By entering your name, e-mail address and telephone number on contact forms on the website, you also consent to the following specific purposes:

DS may register your name, e-mail address and telephone number in the future concerning contact for the purpose of legal advice and marketing of our products to you. We do not disclose or sell your personal data to any third party. You can always inform us if you do not want to have registered your personal data entered through the contact forms on the website, or if the information is to be changed because you have i.e. changed your e-mail address. This can be done by contacting koege@dreiststorgaard.dk

Collection, processing and disclosure of personal data
DS is responsible for the processing of your personal data.

The legal basis for processing your personal data entered through contact forms on our website is:

  • The General Data Protection Regulation, articles 6.1.a and 9.2.a (consent for specific purposes)

You may always withdraw consent for processing of your personal data. If the consent is the only processing authority, we may no longer process the said information.

To the extent that we use external data processors, this is regulated by a data processing agreement to ensure that your data is processed according to the legislation. A data processor is a business which processes data/information on behalf of DS. Such external data processors may include: IT suppliers (including some forms of software and support agreements and hosting and cloud-based solutions)

DS stores your personal data for as long as necessary to be able to provide advice/services to you in relation to the purpose for which you contacted DS through the contact forms on the website.

The storage of your personal data is based on your consent which is logged in our present newsletter system MailChimp.

When you receive a DS newsletter, we can, depending on your e-mail provider and client (computer, tablet or mobile) see if you have opened the e-mail and which links you may click. We also get information if there are problems with delivering your e-mail.

You can always withdraw your consent by unsubscribing to the newsletter by clicking on the link at the bottom of each newsletter.

Read more about MailChimp and personal data: https://mailchimp.com/legal/privacy/

Download of contents from www.dreiststorgaard.dk

To download content from www.dreiststorgaard.dk – e.g. e-books and document templates – we ask you to enter your e-mail address and your postal code.

After we have sent you an e-mail with the content that you wanted to receive, your e-mail address and name are only stored in our newsletter system MailChimp.

You can always withdraw your consent by unsubscribing to the newsletter by clicking on the link at the bottom of each newsletter. Read more in the section “Electronic newsletters”.

USE OF COOKIES

DS has a cookie policy – https://dreiststorgaard.dk/cookie-politik/

YOUR RIGHTS

You are entitled to access your personal data

As a client, you are always entitled to be informed of which personal data we process about you, from where it originates and what we use it for. You can also be informed of how long we store your personal data and who receives personal data about you to the extent that we disclose your personal data.

If you request it, we can inform you of the personal data we process about you. The access may, however, be limited for purposes of other persons’ privacy, business secrets and intellectual property rights.

You may exercise your rights by contacting us. You find our contact information above.

If you are not a client

If you are not a client, but we process personal data about you as part of an assignment for a client, as a starting point you are entitled to be informed of which personal data we process about you, from where it originates and what we use it for. You can also be informed of how long we store your personal data and who receives personal data about you to the extent that we disclose your personal data.

If the information is subject to a duty of confidentiality (or is limited for other reasons, see above), we are not obliged to meet your request for access.

You may exercise your rights by contacting us. You find our contact information above.

You are entitled to have inaccurate personal data rectified or deleted

If you think that the personal data about you which we process is inaccurate, you are entitled to have it rectified. You must contact us and inform us of the inaccuracies and how they can be rectified.

In some cases we have an obligation to delete your personal data. That applies e.g. if you withdraw your consent and we do not have any other legal basis for processing your personal data. If you think that your personal data is no longer necessary in relation to the purpose for which we obtained it, you can ask to have it deleted. You can also contact us if you think that your personal data is processed contrary to the legislation or other legal obligations.

When you contact us with a request to have your personal data rectified or deleted, we check if the conditions have been met, and in such case we implement the rectifications or the deletion as soon as possible.

You have a right to object to our processing of personal data

You have a right to object to our processing of your personal data. You can also object to our disclosure of your data for marketing purposes. You may use the contact information above, including persondata@dreiststorgaard.dk to send an objection. If your objection is justified, we ensure to cease the processing of your personal data.

You are entitled to receive your personal data in electronic form (right to data portability)

You have the right to receive, in electronic form, the personal data which you have made available to us, and the data we have obtained about you from other players based on your consent. If we process personal data about you as part of an agreement to which you are a party, you can also have your data sent. You are also entitled to transfer this personal data to another service provider, e.g. in connection with a change of lawyers.

If you want to exercise your right to data portability, you will receive your personal data from us in a commonly used format by e-mail or on a USB stick.

If you want access to your data, to have it rectified or deleted, or make objections to our data processing, we will check if this is possible and provide you with an answer to your inquiry as soon as possible and no later than one month after we received your inquiry.

You can complain of unlawful processing of personal data

If you think that unlawful processing of your personal data takes place, you should first discuss this with the lawyer handling the case. You can also complain to the person who DS has appointed responsible for personal data questions, knowledgement management lawyer Peter Niemann Thøgersen, by sending an e-mail to persondata@dreiststorgaard.dk.

If you think that your personal data – despite a complaint to DS – is not processed correctly, you may file a complaint to the Danish Data Protection Agency www.datatilsynet.dkfor further information.