1. Who Do We Process Personal Data in relation to?
CORE Law Firm protects and processes personal data relating to our clients, counter parties, suppliers, business partners and recipients of marketing information etcetera in accordance with applicable data protection laws and regulations.
The relevant data protection laws and regulations applicable for our processing of personal data as at the date hereof (August 2020) are set out in the General Data Protection Regulation (Regulation no. 2016/679 of 27 April 2016 of THE EUROPEAN PARLIAMENT AND OF THE COUNCIL) (”GDPR”) and the Danish Data Protection Act (”Persondataloven”, Act no. 502 of 23 May 2018) both as amended from time to time.
CORE Law Firm is the data controller in relation to the processing of your personal data. Our legal information is:
CORE Law Firm/CORE Advokatfirma
Klostergade 60, 1. sal, 8000 Aarhus C, Denmark
Phone: +45 22 20 80 75
We namely process personal data in the following situations: (a) when we establish client relationships and (b) in the performance of our legal advisory services.
Please see Exbibits A-B below for a detailed description of when, how and for which purposes we collect and process personal data in these situations.
2. Which Types of Personal Data Do We Process?
”Personal Data” includes any form of information relating to an identified or identifiable natural person (“ the data subject”), such as name, title, address, e-mail address, phone numbers, social security and identification numbers or one or more factors specific to the physical, mental, economic, cultural or social identity of that natural person. Information in relation to legal persons are not included in the definition of personal data.
Depending on the specific nature of the matter and our advice, we process personal data such as name, title, address, e-mail address, phone number, social security and identification numbers (e.g. Danish CPR-numbers).
3. Where does the Personal Data Originate from?
We collect personal data directly from you or from third parties, e.g. our clients, public authorities, public registers/databases or counter parties.
4. How do we Process Personal Data?
”Processing” of personal data covers any activity which includes personal data, such as collection, registration, systematisation, organisation, storage, adaption, modification, searching, usage or transfer.
We primarily process personal data in relation to our clients, counter parties, suppliers and business partners and only so far as required for the specific purpose and always subject to a valid legal basis.
We will frequently need to process personal data such as names, titles, phone numbers, addresses and e-mail addresses. This processing takes place in order for us to be able to (a) deliver our legal services, (b) invoice, (c) to control and ensure quality of our services and (d) to ensure compliance with applicable Anti-Money Laundering laws and regulations which sets out obligations for us to collect documentation to identify and document the identify of our clients and business partners in certain matters.
Furthermore, we may in certain cases need to process personal data in relation to criminal convictions and offences and sensitive personal data.
5. Who do We Transfer Personal Data to?
We only transfer personal data to external parties, if necessary or we are legally required to do so and always subject to a valid legal basis. Recipient of personal data may be public authorities, the police, tax authorities, Danish or foreign courts, arbitration tribunals, other law firms or counter parties in cases depending on the nature of the specific matter. Furthermore, we transfer data to independent third party data processors (e.g. our IT system providers). Such data processors solely process the personal data on behalf of us and in accordance with our instructions.
Internally, personal data is only available/accessible for those of our staff members that need to have access to such personal data in order to carry out their work obligations and the services we provide.
We will not transfer your personal information to third countries (countries outside the EU/EEA). In case such transfer, as an exception, is required, it will only take place in accordance with the appropriate safeguards as required under applicable laws and regulations.
6. Which Legal Basis do We Process your Personal Data on?
We collect and process personal data on the following legal basis:
In connection with the provision of legal services we process personal data relating to clients, counter parties and business partners on the basis of GDPR Art. 6(1), litra b and Art. 9 (2), litra f based on our legitimate interests in establishing, pleading and defending legal rights as well as representing the interests of our clients. We also process personal data in relation to our clients on the basis of GDPR Art. 6 (1), litra b if and when the processing is necessary to enter into or perform contracts and our obligations in respect of legal services.
Generally, company information is not subject to the GDPR, however, according to circumstances we may process information about your identity, contact information, and professional information, including name, email address, telephone number, your home address, position, educational background, and information about our business relationship. Also, we process financial information, including payment and tax information. The legal basis for our processing in this respect is GDPR Art. 6 (1), litra b.
Anti-Money Laundering Act
Since we as a law firm are subject to duties under the Danish Anti-Money Laundering Act (hvidvaskloven) in connection with some of our legal services, we will also be processing your personal information in this connection, including identity information such as name, civil reg. no., passport no., etc. We solely process identity information obtained under the Anti-Money Laundering Act with a view to performing our duties under the Act. Identity information will not be applied for commercial purposes. The legal basis for such processing is the Anti-Money Laundering Act.
Seminars and Workshops
We process personal data in relation to participants in seminars and workshops on the basis of GDPR Art. 6 (1), litra b or Art. 6 (1), litra f based on our primary interest in registering participants, managing the seminar/workshop and to be able to distribute relevant handouts and feedback forms.
We only process your personal data in relation to marketing purposes on the basis of your explicit consent. Such processing is thus made with legal basis in GDPR Art. 6(1), litra a.
Generally, we process personal data when we are under a legal obligation to do so. In such case the legal basis for our processing is GDPR 6 (1), litra c. We process social security and national identification numbers/tax numbers on the basis of Art 11 (2) of the Danish Data Protection Act. Depending on the specific circumstances in the case or cases on which we assist, we may also process sensitive personal data, see GDPR Art. 9 (2) litra f, and/or information about criminal offences, see s. 8(3) and (4) of the Danish Data Protection Act (databeskyttelsesloven).
7. When Do We Delete your Personal Data?
We delete your personal data, registered by us, once the personal data is no longer needed for the purpose for which they were collected or processed.
We have established internal policies for the storage of all categories of personal data. These are based on the obligations that we are subject to under applicable law, including applicable documentation, bookkeeping and auditing requirements as well as laws on statutory limitation. Such legislation may entail an obligation or right for us to store such data for an extended period of time.
8. Which Rights do You Enjoy?
Based on applicable data protection laws and regulations you enjoy a number of rights in relation to our processing of your personal data, however limited by certain statutory exceptions.
If you would like to exercise one of more of these rights, please contact us using the below contact information under the Section ”Contact Us”.
You have the following rights:
The Right to Access to Information on the Personal Data that We Process
You have the right to access and gain insight to the personal data which we process in relation to you.
However, as Danish lawyers, we are subject to specific confidentiality obligations pursuant to the Administration of Justice Act (”Retsplejeloven”) and the Code of Conduct of the Danish Bar Association which may result in us not informing you of every processing of personal data relating to you based on our obligations to comply with such confidentiality obligations.
We are also entitled to refrain from informing you on our processing of your personal data based on consideration of critical private or public interests, if we deem consideration to such interests to superseed consideration of your interests in receiving information. This exception is relevant, if informing you of our processing has negative impact on our representation of our clients’ interests, e.g. in connection with enforcement of claims, control and monitoring actions and internal investigations.
Furthermore, we are entitled to refrain from informing you on our processing of your personal data, if you are already familiar with such processing or in case it is impossible, would require disproportionate efforts or hinder the purpose of the processing to inform you.
The Right to Rectify (correction)
You have the right to rectify incorrect personal data and information and to update your personal data.
The Right of Erasure
Under certain circumstances you have the right to have personal data erased, prior to the occurence of our general time limits for erasure of different types of personal data.
The Right to Limit Processing
In certain cases, you have the right to request limitation of the processing of personal data relating to you.
The Right to Object
In certain cases you have the right to object to our otherwise legal processing of your personal data.
The Right to Withdraw Your Consent
If our processing of your personal data is made on the legal basis of your consent, you may at any time withdraw your consent. You may do so by contacting us using the below contact information under the Section ”Contact Us”.
If you choose to withdraw your consent, this will not affect the validity or legality of the processing already made up to the point in time of the withdrawal. It will only have legal effect from the time of the withdrawal.
You may read more about your rights in the guidelines of the rights of data subjects made public by the Danish Data Protection Agency at www.datatilsynet.dk.
You have the right under certain circumstances to request that we transmit your personal data to you or to another data controller in a structured and customary way and in a machine-readable format.
We have adopted internal procedures and policies designed to ensure that we live up to our high security standard and thus comply with the requirements for implementation of suitable technical and organisational security measures for the protection of personal data and our processing thereof.
10. Contact Us
You may contact us at any time, if you wish to exercise your rights as set out under Section 8 above, would like to file a complaint or if you have any questions to our Privacy and Personal Data Policy.
You may contact your contact person with us or use the following contact details:
CORE Law Firm
Klostergade 60, 1. sal, 8000 Aarhus C, Denmark
Att.: Attorney Bjarke Holm Hansen
Phone: +45 22 20 80 75
In connection with inquiries concerning your rights, we ask that you provide us with adequate information to process your inquiry, including your full name and your email address, so that we may identify you and respond to your inquiry. We will respond to your inquiry as soon as possible.
11. Compliants to the Danish Data Protection Agency
You may file a complaint with the Danish Data Protection Agency in relation to our processing of your personal data. More information is available at www.datatilsynet.dk.
12. Amendments to Our Privacy and Personal Data Policy
Our Privacy and Personal Data Policy is latest revised as of 1 August 2020. We reserve the right to change this Privacy and Personal Data Policy based on material changes in legislation or other relevant circumstances.