NYBORG & RØRDAM LAW FIRM
This privacy policy describes how Nyborg & Rørdam Law Firm (“Nyborg & Rørdam”, “we” or “us”) processes personal data as part of our law firm business and in connection with the use of our website and in the course of marketing.
1. Generally about Nyborg & Rørdam’s processing of personal data
1.1. The core activity of Nyborg & Rørdam is to provide legal advice and other legal services. In order to provide our clients with such services (“Legal Casework”) and to carry on business as a law firm in general (“Law Firm Business”), we need to process personal data.
1.2. This policy describes how Nyborg & Rørdam collects and processes1 personal data about our clients or other persons involved in the case. This could be the client personally and the client’s close relatives, including beneficiaries or, if the client is an enterprise or organisation, the client’s employees and other persons involved or the client’s owners, and other persons of relevance to the case, including persons associated with the opponent, contracting parties or business partners and other third parties.
1.3. Through cookies we collect personal data regarding the use of our website www.nrlaw.dk, including the IP addresses of visitors, and we further collect and use personal data for marketing-related activities, also to target our communication to you, and when sending newsletters.
1.4. This policy is divided into the following sections:
- Nyborg & Rørdam as data controller, section 2
- The purpose of processing, section 3
- The legal basis for processing, section 4
- The categories of personal data concerned, section 5
- The sources from which the personal data originate, section 6
- The categories of recipients, section 7
- Retention and erasure, section 8
- Data subject rights, section 9
- Security of processing and email communication, section 10
- Effective date and amendments, section 11
1.5. Persons whose personal data are processed by Nyborg & Rørdam are also referred to as “data subjects”.
1.6. The attorneys of Nyborg & Rørdam are involved in directorships and administration for a number of foundations and grants. The processing of personal data in this connection is described in detail in the separate privacy policy for foundations and grants, see here.
2. Nyborg & Rørdam as data controller
2.1. Nyborg & Rørdam is the data controller of the personal data we collect or otherwise receive in the course of our Legal Casework and Law Firm Business2 and website as well as for the purpose of our marketing initiatives.
2.2. Nyborg & Rørdam’s identity and contact details are as follows:
Nyborg & Rørdam Advokatfirma P/S
Business registration (CVR) no. 35471197
Store Kongensgade 77, 1264 Copenhagen K, Denmark
Tel.: +45 33 12 45 40
www.nrlaw.dk
privacy@nrlaw.dk
2.3. Nyborg & Rørdam processes personal data in accordance with the fundamental principles of good data processing practices concerning lawfulness, fairness and transparency3.
2.4. Nyborg & Rørdam’s attorneys and other employees have such access to personal data as is relevant for them, having regard to their areas of responsibility and duties. All legal employees are subject to an obligation of professional secrecy, see the rules of the Danish Bar and Law Society in this regard. Other employees are also subject to strict secrecy.
3. The purpose of processing
3.1. Legal assistance, including based on official appointment
3.1.1. Nyborg & Rørdam processes personal data to establish the client relationship and to effectively assist and advise the client on the relevant assignment. The purpose and extent of the Legal Casework for each assignment is set out in the agreement to provide legal services concluded by Nyborg & Rørdam and the client and/or through our duties as appointed administrator, receiver or defence counsel.
3.2. Running our Law Firm Business
3.2.1. Nyborg & Rørdam also processes personal data received in the course of performing the Legal Casework and running our Law Firm Business. This is necessary, among other things, for compliance with legal requirements and the obligations we are subject to as attorneys, e.g. to conduct conflicts checks and know-your-customer procedures under the Danish Anti-Money Laundering Act prior to starting up the Legal Casework, or for the defence of any legal claims.
3.3. Website operation and marketing
3.3.1. Nyborg & Rørdam further processes personal data which we have received as part of Legal Casework in connection with our Law Firm Business. The purpose of the processing of personal data is aimed at communication with the users as well as the operation of our website so that it functions smoothly and is regularly updated. We also carry out statistics which may be used inter alia to improve the design of our website. You can read more about cookies, the purpose of cookies and deletion and blocking of cookies in our Cookie Policy on www.nrlaw.dk.
3.3.2. Furthermore, Nyborg & Rørdam processes personal data in connection with marketing-related activities, including personal data which we have received from persons who have subscribed to our newsletters. This is in order to target and improve our communication and marketing-related activities, including our newsletters. You can subscribe and unsubscribe to our newsletters on the website, and in the individual emails you receive together with the newsletters. You are at any time entitled to object to our processing of your personal data for direct marketing purposes, after which we must cease to process your personal data for this purpose.
3.4. Other purposes
3.4.1. We may also process personal data for other purposes which are not incompatible with the purposes described above. By way of example, we may do so if such processing is deemed necessary or appropriate to the Legal Casework and/or deemed necessary in order to pursue our legitimate interest in running our Law Firm Business and our interests are not overridden by the data subject’s interests or fundamental rights and freedoms.
4. The legal basis for processing
4.1. The agreement to provide legal services and official appointment
4.1.1. When you are a client with us, Nyborg & Rørdam will process your personal data on the following basis:
- to perform our agreement to provide legal services, see article 6(1)(b) of the GDPR, and/or
- in the course of our duties as appointed administrator, receiver, trustee or defence counsel, see article 6(1)(c) of the GDPR.
4.2. Other legal basis for processing
4.2.1. In addition, in the course of the Legal Casework and the running of our Law Firm Business, Nyborg & Rørdam may process personal data about clients4, employees, owners, beneficiaries, relatives or other of the client’s related parties and about the opponent and other third parties, see clause 1.2, on the following basis:
- Based on explicit consent from the data subject to process the data for one or more specific purposes, see articles 6(1)(a) and 9(2)(a) of the GDPR;
- If necessary for compliance with a legal obligation to which Nyborg & Rørdam is subject, see article 6(1)(c) of the GDPR;
- If necessary in order to safeguard and protect the vital interests of the data subject or of another natural person, see articles 6(1)(d) and 9(2)(c) of the GDPR and section 7(1) of the Danish Data Protection Act (databeskyttelsesloven), e.g. as an appointed guardian;
- If necessary for the performance of a task carried out in the public interest which Nyborg & Rørdam has been appointed to carry out, see article 6(1)(e) of the GDPR, e.g. duties on boards and commissions of inquiry;
- If necessary for purposes of the legitimate interests pursued by the client or Nyborg & Rørdam, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, see article 6(1)(f) of the GDPR. By way of example, this may include:
- the legitimate interests of Nyborg & Rørdam mentioned in section 3.2.1;
- the client’s or our own legitimate interest in defending, establishing or exercising a legal claim;
- the legitimate interest of the client, including beneficiaries, in other respects in establishing or securing a given legal position in connection with the subject-matter, including the administration of an estate or a legal dispute.
- If processing is necessary for compliance with the employment or labour law obligations and the exercise of specific rights of Nyborg & Rørdam or the data subject, see article 9(2)(b) of the GDPR and sections 7(2) and 12(1) and (2) of the Danish Data Protection Act;
- If processing is necessary for the establishment, exercise or defence of a legal claim, see article 9(2)(f) of the GDPR.
4.3. Operation of website and marketing
4.3.1. The legal basis for our processing of your personal data in connection with the operation of our website and for the use of marketing-related activities is:
- Consent, cf. article 6(1)(a) of the GDPR, when you subscribe to our newsletters or accept optional cookies; and/or
- The balancing of interests rule in article 6(1)(f) of the GDPR, where the legitimate interests pursued by us are our interest in optimizing the operation of our website and our marketing interest as well as our interest in targeting the material we send.
4.4. Civil registration (CPR) numbers
4.4.1. Nyborg & Rørdam may process data about civil registration (CPR) numbers:
- if permitted to do so under the law;
- if the data subject’s consent has been obtained;
- if the processing is in the form of disclosure where the disclosure is a natural element in the course of running our Law Firm Business and the disclosure is of crucial importance to uniquely identifying the data subject or the disclosure is required by a public authority; or
- if the conditions in section 7 of the Danish Data Protection Act are satisfied, see section 11(2) of the Danish Data Protection Act.
4.5. Personal data relating to criminal convictions and offences
4.6. Nyborg & Rørdam may process personal data relating to criminal convictions and offences:
- if necessary for the establishment, exercise or defence of a legal claim, see article 9(2)(f) of the GDPR;
- if necessary to safeguard a legitimate interest which clearly overrides the data subject’s interests, see section 8(3) of the Danish Data Protection Act;
- if the data subject’s consent has been obtained, see section 8(3) of the Danish Data Protection Act; or
- pursuant to section 8 of the Danish Anti-Money Laundering Act.
5. The categories of personal data concerned
5.1. In the course of our Legal Casework and Law Firm Business, Nyborg & Rørdam processes both general personal data, special categories of personal data5 and personal data relating to criminal convictions and offences as well as civil registration (CPR) numbers.
5.2. The types of general personal data we collect and process may include:
- name and contact details, including address, email address, telephone number, IP address and the name of your employer, etc.;
- other identification data, including civil registration (CPR) number, passport number, the data mentioned in the Danish Anti-Money Laundering Act, date of birth and photos;
- financial information, including bank account and, if relevant, safe custody number;
- factual information or assessments relating to an assignment carried out by Nyborg & Rørdam (i) under the agreement to provide legal services with a client, (ii) in the course of the conclusion and performance of other contracts or (iii) in the course of our duties under an official appointment or otherwise in the course of our Law Firm Business;
- any other personal data we have collected or received from the client or other third parties in order for an assignment to be carried out efficiently and properly by Nyborg & Rørdam or in the course of the Legal Casework.
5.3. Certain types of assignments may render it necessary for us to also process personal data relating to criminal convictions and offences, civil registration (CPR) numbers or special categories of personal data5, including for example:
- Health data
- Data about racial or ethnic origin
- Trade union membership
5.4. The categories of personal data mentioned in section 5.3 enjoy stricter protection and we comply with such higher standard of protection by having implemented appropriate organisational and technical measures, see section 10.
5.5. For the purpose of website operation and marketing-related activities, including sending newsletters, Nyborg & Rørdam only processes general personal data. The types of general personal data collected and processed for these purposes include names and contact details (including address, email, telephone numbers, IP addresses, and your place of employment etc.), information about our communication and the recipient’s language and news preferences, as well as information about the use of our website.
6. The sources from which the personal data originate
6.1. We may receive and collect personal data from you yourself on an ongoing basis from emails, letters, interviews or telephone conversations.
6.2. It is also often necessary and relevant for us to receive or obtain personal data and other information from external sources. This could be sources such as the opponent’s attorney or other advisers, public authorities, courts and other third parties as well as from public registers and media. Such processing will be based on an agreement with the data subject (if you are our client) or other authority, see section 4.2.
6.3. As a general rule, we assume that the personal data you provide to us are accurate at the time of receipt. We encourage you to notify Nyborg & Rørdam of any changes to your data to allow us to update them.
7. The categories of recipients
7.1. All non-public personal data which are collected, received, recorded and stored by us are treated confidentially by Nyborg & Rørdam. We generally do not disclose personal data to third parties, unless in accordance with the below provisions.
7.2. In some cases, it will be necessary and relevant to disclose personal data to third parties such as:
- courts, including minretssag.dk, as well as arbitration tribunals and mediators;
- public authorities or agencies as well as public boards and councils, etc.;
- public registers, including virk.dk and tinglysning.dk;
- other attorneys of relevance to the assignment;
- other advisers, including accountants and auditors, of relevance to the assignment;
- specialist experts and valuation experts;
- banks;
- contracting parties or other third parties directly or indirectly associated with the assignment;
- next of kin or other family members.
7.3. We may also disclose personal data to third parties if such disclosure is permitted under the agreement to provide legal services or under applicable national or EU law or if the data subject’s consent has been obtained.
7.4. We may transfer personal data to third parties, including to non-EU/EEA countries or international organisations, if so agreed between Nyborg & Rørdam and the client or if implied by the purpose of the agreement to provide legal services, e.g. because the client or the opponent resides in a non-EU/EEA country or the matter has other ties to such countries.
7.5. In connection with hosting of our website and our marketing-related activities personal data may be transferred to countries outside the EU/EEA. This includes secure third countries which, as decided by the European Commission, have an adequate level of protection pursuant to article 45(1) and article 45(3) of the GDPR, or other third countries, who have provided the adequate safeguards in accordance with article 46(1) and (2)(c) of the GDPR through standard contractual clauses on data protection adopted by the Commission.
7.6. In addition, international data transfers may be made, including to non-EU/EEA countries or international organisations, to the extent that Nyborg & Rørdam is required to make such transfers under applicable national or EU law.
7.7. Personal data may be disclosed to our external service providers for processing, including data processor(s) assisting us in the running of our Law Firm Business, website and/or marketing-related activities.
7.8. Disclosure pursuant to the Danish Anti-Money Laundering Act
7.8.1. Nyborg & Rørdam is required to submit identification data to banks in order to comply with the requirements of the Danish Anti-Money Laundering Act concerning identification of beneficial owners of sums deposited in Nyborg & Rørdam’s general client account or any separate client account opened by Nyborg & Rørdam with the bank in question concerning the client.
7.8.2. In certain situations, Nyborg & Rørdam is required to notify the Danish Bar and Law Society, the State Prosecutor for Serious Economic and International Crime or the Danish Financial Supervisory Authority if we suspect or have reason to believe that any funds, transaction or activity involve or have involved money-laundering or financing of terrorism. In connection with such notification, any identification and verification data and other information required under the provisions of the Danish Anti-Money Laundering Act may be disclosed to the Danish Bar and Law Society, the State Prosecutor for Serious Economic and International Crime and/or the Danish Financial Supervisory Authority.
8. Retention and erasure of personal data
8.1. Generally
8.1.1. Nyborg & Rørdam will retain personal data as long as is necessary to fulfil the purpose of our processing and to comply with rules governing limitation of claims arising from the law of obligations and property. We will thus erase your personal data when they are no longer necessary for us to retain having regard to the purpose(s) of processing and the legal basis for processing. If the data are to be stored longer than that, an agreement to this effect must be entered into.
8.1.2. As a general rule, the following retention periods apply, unless we are allowed to store the data for a longer time on another basis. Time begins to run on completion of the client relationship or the individual transaction:
- For data which fall within the scope of our obligations under the Danish Anti-Money Laundering Act, the retention period is five (5) years.
- For other data which are processed on an ongoing basis in the course of the client relationship or the individual assignment, the retention period is up to 10 years.
- For certain data, the retention period may be up to 30 years.
8.1.3. If you have subscribed to our newsletters, we will retain your personal data as long as you wish to receive the material and for a subsequent period of up to two years. If we have collected publically available information about you in order to carry out marketing-related activities, we will retain the material as long as the activity in question is on-going and for a subsequent period of up to two years.
9. Data subject rights
9.1. Persons whose data Nyborg & Rørdam processes in connection with the purposes set out in section 3 (the “data subject”) have a number of rights under the GDPR.
9.2. Our obligation to provide information
9.2.1. We comply with our obligation to provide information in connection with the agreement to provide legal services, to which reference is made, and via this Privacy Policy.
9.2.2. We also comply with our obligation when providing information about the assignment in the course of the Legal Casework. However, some exemptions may apply to our obligation to provide information due to our obligation of professional secrecy and the data protection rules, see below.
9.2.3. If, in the course of providing our services, we receive personal data about other data subjects than the client, we will inform the data subject(s) as soon as possible, unless we are exempt from the obligation to provide information under article 14(5) of the GDPR or section 22 of the Danish Data Protection Act, eg. as a result of our obligation of professional secrecy or if the data subject’s interests are deemed to be overridden by the client’s or other parties’ compelling interests.
9.3. Other rights
9.3.1. As a data subject, you also have the following rights in respect of Nyborg & Rørdam:
- You have the right to request access to and rectification or erasure of your personal data;
- You have the right to withdraw your consent to our processing of your personal data at any time. If consent is withdrawn, this will affect Nyborg & Rørdam’s future processing of the relevant personal data;
- You have the right to object to the processing of your personal data and to restrict such processing;
- You have the right to receive in a structured, commonly used and machine-readable format the personal data which you yourself have provided to us (data portability);
- In some cases, you have the right to object to our otherwise lawful processing of your personal data. However, you always have an unconditional right to object to direct marketing.
9.3.2. In some cases, your above rights may be subject to specific limitations. If you as a data subject wish to exercise your rights, please use our contact details in section 2.2.
9.3.3. You have the right to lodge a complaint with the Danish Data Protection Agency regarding Nyborg & Rørdam’s processing of your personal data. The Agency’s address is Borgergade 28, 5., 1300 Copenhagen K, Denmark, www.datatilsynet.dk, T +45 33 19 32 00, email: dt@datatilsynet.dk.
10. Security of processing and email communication
10.1. Nyborg & Rørdam has implemented an internal information security policy containing instructions and measures which, based on a risk assessment, are designed to protect personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.
10.2. We use the general encryption technologies (TLS) when sending and receiving emails, documents and other materials via the internet in the course of our Legal Casework. In certain cases a stronger encryption (end-to-end) is used if the recipient has installed the necessary technology for this purpose.
10.3. Nyborg & Rørdam is unable to guarantee the security of any personal data sent to us by ordinary email, before the data in question have been received by us. Any personal data sent to Nyborg & Rørdam by ordinary email are therefore sent at the sender’s risk.
11. Effective date and amendments
11.1. This policy for Nyborg & Rørdam Law Firm’s processing of personal data is effective from February 2023.
11.2. Nyborg & Rørdam may amend this policy. If so, such changes will be posted on our website.
- The term “processing” covers any operation or set of operations performed on personal data, including collection, receipt, own use, disclosure and erasure.
- If we act exclusively or additionally as data processor for our clients in certain types of Legal Casework, a separate data processor agreement will be concluded. By way of example, this could be if we agree to store materials for the client beyond our general record-keeping duties, provide whistleblowing functions or assist with a limited project, etc.
- Article 5(2) of the General Data Protection Regulation (“GDPR”) lays down the fundamental principles of good data processing practices, which include the principles of (i) lawfulness, fairness and transparency, (ii) purpose limitation, (iii) data minimisation, (iv) accuracy, (v) storage limitation, (vi) integrity and confidentiality and (vii) accountability.
- With regard to administration of estates of deceased persons, this will include data about the deceased person.
- Special categories of personal data are defined in article 9 of the GDPR and include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.