This Privacy Policy applies to Advokatfirmaet Magnus Legal AS ("Magnus Legal").

It is important for us that your personal data are processed in a safe and secure manner, in accordance with prevailing data protection laws and other legislation.

The Privacy Policy describes what a privacy policy is, how Magnus Legal processes your personal data, the purpose of our processing activities and the legal basis for our processing activities. This Privacy Policy also describes your rights in connection with our processing of your personal data under prevailing data protection legislation.

Magnus Legal is the data controller in relation to processing of personal data as described in this Privacy Policy. We do not process personal data without the existence of a lawful processing basis and not beyond what is necessary to fulfill a lawful purpose. Our subcontractors are only permitted to process personal data on our behalf in accordance with a data processing agreement and our requirements for information security.

You are always welcome to contact us if you have any questions regarding our processing of personal data. For contact information, please see clause 11 below.

When referring to GDPR, this is to be understood as a reference to the (EU) 2016/679 General Data Protection Regulation ("GDPR"). 

Personal data means any information relating to an identified or identifiable natural person. Name, address, phone number, e-mail address and social security number are examples of information which generally is regarded as personal data.

This Privacy Policy addresses our processing of personal data regarding the following individuals:

• Private individuals;
• The contact persons of corporate clients;
• Individuals involved in matters we assist in;
• Other persons mentioned in the case documents we have access to;
• The contact persons of suppliers and other collaborators; and
• Visitors to our web site

Below, we have listed the typical purposes for our processing of personal data, the categories of personal data we typically process, and the legal bases for such processing.

Establishing legal assignments

When a client requests our services, we perform a conflict check before taking on the engagement. The conflict check serves a legitimate purpose and has a basis in GDPR article 6 No. 1 (f) (balancing of interests). Conflict checks regarding private clients usually include full name, what the case concerns and, if relevant, credit worthiness. In general, conflict checks on behalf of corporate clients will not involve processing of personal data.

When establishing a client relationship in cases involving the execution or planning of a transaction, we will conduct a customer due diligence in accordance with the Norwegian Money Laundering Act. We will collect documentation confirming the client’s identity, as well as the identity of the real licensee of the client. We will also collect personal data regarding the purpose of the legal assignment. If you are a private client, we will collect your full name, social security number or identity number and address. If you do not have a social security number or identity number, we will collect information regarding your date of birth, birthplace, gender and citizenship. If the client is a legal person that is not registered in a public registry, we will collect personal data about the owner, general manager or similar contact person. The client due diligence is essential for the compliance with a legal obligation, cf. GDPR Article 6 No. 1 (c).

If we can take on the assignment, the following contact information will be registered: your full name, email address, address, telephone number and job title. For private clients, this is required in order to enter into an assignment contract, cf. GDPR Article 6 No. 1 (b). For business clients, the registration of contact information is based on a balancing of interests, cf. GDPR Article 6 No. 1 (f).

Case management

Some assignments require access to personal data regarding parties, third parties or other individuals involved in the case in question. Such information may be found in documents provided by the client or in any other documentation of relevance to the case. In connection with assignments for business clients, such data processing is based on GDPR Article 6 No. 1 (f) (balancing of interests).

In some cases, we get access to special categories of personal data, such as health information or sentences and criminal offenses. The basis for such data processing is provided in the GDPR Article 9 No. 2 (f) (the processing is necessary for the establishment, exercise or defense of legal claims), cf. Section 11 of the Personal Data Act.

Knowledge management

As part of the knowledge management in Magnus Legal, documents in a case could be used in subsequent cases. Documents stored in our experience archive are anonymized. In addition, internal sharing of documents occurs. The documents shared internally will be anonymized prior to storage on a different case. The basis for processing is our interest in utilizing prepared knowledge in further counselling, cf. GDPR Article 6, No. 1 (f) (balancing of interests).

Client Management

Separate electronic files are established for all assignments. Time and costs accrued are registered in our accounting system. For business clients, the client management is based on GDPR Article 6 No. 1 (f) (balancing of interests). For private clients the client management is necessary for the performance of a contract to which the data subject is party, cf. GDPR Article 6 No. 1 (b).

Filing and storage of case documents

Magnus Legal store documents for 10 years after completing an assignment. Storage in the said time span is recommended by the Norwegian Bar Association and considered necessary for both the client and us, as questions and disputes may arise, and where the information stored could be of relevance. The legal basis for the storage of personal data is GDPR article 6 No. 1 (f) (balancing of interest) and GDPR article 9 No. 2 (f) (the processing is necessary for the establishment, exercise or defense of legal claims), cf. Section 11 of the Personal Data Act.

Invoicing

Invoices to corporate clients are marked with personal data of a contact person if requested by the client. For private clients, we will use the individual's private postal address or email address for invoicing. The legal basis for the processing is GDPR Article 6 No. 1 (f) (balancing of interests) for corporate clients and for private clients GDPR Article 6 No. 1 (b) (processing is necessary for the performance of a contract to which the data subject is party). 

IT operations and security

Personal data stored in our IT systems will be available to us or our contractors in connection with system updates, implementation or follow-up on security measures, error recovery or other maintenance. Our contractors act in accordance with data processing agreements and under our instructions. The legal basis for the processing is GDPR Article 6 No. 1 (f) (balancing of interests), and our legal obligation to have satisfactory data security in place, cf. GDPR Article 32 and GDPR Article 6 No. 1 (c).

Marketing

Magnus Legal sends invitations to customer events and blog notifications to e-mail addresses registered on current clients and others who have consented to receive invitations and notifications from us. Recipients of such notifications may easily unsubscribe from the service by using a link included in all e-mails. The legal basis for the processing is GDPR Article 6 No. 1 (f) (balancing of interest) where we have received the e-mail address in connection with an assignment. In current client relationships the marketing will be in accordance with the Marketing Act Section 15 (3). The marketing is otherwise based on consent from the individual, cf. GDPR Article 6 No. 1 (a) and the Marketing Act Section 15 (1).

Recruitment

Magnus Legal will keep job applications, resumes and other submitted documentation in order to contact former applicants for future available positions. The basis for the processing is GDPR Article 6 No. 1 (a) (consent). The access to the personal data is limited to employees who need to have access to the documents. The documents are stored for maximum three years after ended application procedure.

Magnus Legal owns the website magnuslegal.no, including respons.magnuslegal.no and blog.magnus.legal.no. All content published on our web pages belongs to Magnus Legal. By using our websites, you consent to processing of personal data in accordance with this Privacy Policy.

Personal data collected on our websites may be used for marketing purposes such as invitations to seminars and other events, as well as information about our services and other direct and indirect marketing. Personal data collected may also be used for statistical purposes, as well as operation, maintenance and improvement of our websites. The basis for the processing is GDPR Article 6 No. 1 (a) (consent), cf. the Marketing Act Section 15 (1).

Cookies are small text files that are stored on your computer or mobile device. Magnus Legal uses cookies to analyze visits to our websites and for marketing initiatives.

By visiting our websites, you agree to our use of cookies. Most browsers accept cookies automatically. You may prevent cookies from being stored on your computer by changing the settings of your browser. In your browser, you can also delete stored cookies. For more information about managing the use of cookies in your browser, read more here (external web page). Please note that by blocking the use of cookies in your browser, our websites may not work optimally.

Magnus Legal uses Google Analytics and HubSpot. Hubspot will ask your browser to accept cookies (external web page). When visiting our websites, cookies will track you anonymously until you optionally provide your contact information in one of our forms and give your consent to direct or indirect marketing efforts from us. The consent implies that personal data you provide may be linked to the data that has previously been anonymously stored about your use of our websites. If you would like more information on how this works, read more here (external web page).

Google Analytics is a web analytics tool that collects data and prepares statistics for improvement and development of our web pages. All data collected through Google Analytics from our web pages will be anonymized before it is stored by Google. If you wish to prevent your data from being collected by Google Analytics, you will find information about Google Analytics Opt-out Browser Add-on here (external web page).

For the operations of our websites, web analytics and marketing efforts, we use the following subcontractors:

• Avidly Norway AS (prev. Inbound Norway AS)
• ECIT Software A/S
• HubSpot Inc.
• Google Inc.

Magnus Legal is also using cookies through our presence in social media. When visiting our websites and our profiles in social media, the social media channel collects personal data that is used to compile statistics. Magnus Legal does not have access to the personal data collected, but we can access anonymous statistics prepared by the social media channel based on the information gathered.

Magnus Legal has profiles in social media, and we are using plug-ins from social media on our websites. When visiting our websites or our profiles in social media, the social media channel will process your personal data and use cookies. More information on how the social media channel is processing personal data and their use of cookies, you will find in the social media’s information on data protection and cookies. In some cases, via the social media, Magnus Legal can use such data to make targeted advertisement.

Lawyers’ professional secrecy is a statutory obligation. All information entrusted to us in connection with an assignment will be handled confidentially.

Our IT subcontractors may have access to personal data if such data is stored with the subcontractor or in any other way is available to the subcontractor. The subcontractors are acting under our instructions and in accordance with data processor agreements. The subcontractors can only make use of the personal data for those purposes we have determined and as described in this privacy policy.

We are using subcontractors in countries outside the EU and EEA. Regarding transfer of personal data to such subcontractors we use EUs standard contracts for data transfers (click for more information).

Magnus Legal cooperates with Inventura AS on public procurement. We share personal data with Inventura AS only if our customers or potential customers actively have given their explicit consent to be contacted by Inventura AS.

We do not disclose personal data in any other manners than those described in this privacy policy unless the client explicitly encourages or give their explicit consent to such disclosure or the disclosure is decreed by law.  

You have legal rights in connection with our processing of your personal data. What rights you have depend on the circumstances.

Withdrawal of consent

If you have given you consent to receive blog notifications or other information from us, you may at any time withdraw this consent. We have arranged for an easy way to opt-out of this kind of approach by including a link to a deregistration form in each communication. If you have consented to any other data processing, you may at any time withdraw your consent by directing an enquiry to us.

Right of access

You have the right to access the personal data we have registered concerning you, unless professional secrecy impedes this. In order to ensure that personal data is delivered to the right person, we may require that a request for access is provided in writing or that your identity is otherwise verified.

Right to rectification or erasure

You have the right to obtain ratification of inaccurate personal data concerning you, and the right to erasure of personal data. We will to the extent possible comply with a request to erase personal data, unless further processing is necessary, e.g. that we need to store the information for documentation purposes.

Data portability

If we process personal data concerning you based on consent or on the basis of an agreement, and the personal data is processed automatically, you may ask us to transmit your personal data to you or to another law firm in a structured, commonly used and machine-readable format.

Complaint to the supervisory authority

If you disagree with the way in which we process your personal data, you may lodge a complaint with the Norwegian Data Protection Authority.

We have established routines for secure processing of personal data and client information in general. The measures are of both technical and organisational nature. We regularly evaluate the security of all central systems used for data processing, and we have concluded contracts that instruct subcontractors of such systems to ensure satisfactory information security.

Access to personal data (and client/case information) is limited to personnel that need such access in order to perform their work.

We have adopted IT guidelines, and our employees are regularly trained about security and secure use of IT systems.

If you have any questions or comments about our Privacy Policy, or you want to exercise your rights, please contact us at post@magnuslegal.no or by post:

Advokatfirmaet Magnus Legal AS
P.O. Box 904 Sentrum
5808 Bergen
Norway

We reserve the right to amend or update this Privacy Policy. All changes apply from the time they were published, and you will always find the latest version of the Privacy Policy on our website. In the event of material changes, you will be notified. If you want to know when the Privacy Policy was last updated, see the "Last Updated" section at the bottom of the page.

Last updated: August 14, 2020.