According to the GDPR, we are required to provide information on our processing of personal data and the rights of data subjects. This information is provided below:
Our collection of data
When advising our clients, we receive various documents and information electronically from our clients, including their staff. These documents and information are stored in a digital case file and in some situations also in a physical case file. The documents and information received from our clients often include personal data, and we often receive additional personal data along the way, e.g. from opponents and their advisers, authorities and courts as well as their contact persons, or by way of publicly available information collected by Horten itself. This may be general personal data such as name and contact details. It may also be civil registration numbers (CPR-nr.) or information on criminal offences; and it may be sensitive personal data about health and union membership. The information may concern our clients or other persons involved in the relevant case.
Newsletters and Ret & Indsigt
When a subscriber signs up for Horten's newsletters and the magazine Ret & Indsigt, we register name, e-mail-address and legal area of interest. If the subscriber wishes to receive Ret & Indsigt by post, we register name, e-mail address, title, organisation and address. We use the data to send Horten's newsletters and/or Ret & Indsigt. A few employees at Horten have access to the subscriber list. By means of this information, Horten keeps track of the scope and nature of subscriptions, enabling us to improve our client communication. Subscribers may unsubscribe at any time if they wish to stop receiving newsletters and the news magazine Ret & Indsigt by clicking unsubscribe at the bottom of the e-mail accompanying the newsletter or magazine. Recipients of the printed version of Ret & Indsigt may unsubscribe by sending an e-mail to email@example.com.
When participants sign up for events at Horten, we usually register name and e-mail address for the purpose of communication about the event. Based on a specific assessment, we may also use the data for preparing lists of participants to be handed out to participants and speakers at our events. More information on this is contained in the sign-up conditions, which must be accepted when signing up for our events.
When receiving applications, we receive various documents from the applicant. The documents are stored in our HR system to which only our recruitment officer has access. The documents contain personal data, e.g. general information such as name, contact details, reference to previous employment, diplomas, civil reg. nos. (CPR-nr.) or sensitive data such as health data.
Horten Advokatpartnerselskab, Philip Heymans Alle 7, DK-2900 Hellerup, CVR no. 33775229, is controller of data received in connection with our general advice to clients. Our contact details are: telephone +45 3334 4000, e-mail: firstname.lastname@example.org (encrypted e-mail: email@example.com). If you have any questions about our processing of your personal data, please contact us on firstname.lastname@example.org.
Purpose and background
We process the data we receive for the purpose of advising our clients in the cases which the data concern. The processing takes place depending on the nature of the assignment and of the data, with authority in Article 6 (1), paragraph b, c or f, Article 9 (2), paragraph f of the GDPR, or section 8 (3) of the Danish Data Protection Act. Generally, the authority to collect and process the data is that it is necessary for performing the contract with our clients or for safeguarding our clients’ legitimate interests or establishing, exercising on or defending their legal claims. Our processing of civil registration numbers is authorised in section 11 of the Data Protection Act.
Processing of data in connection with signing up for newsletters, Ret & Indsigt or events is authorised in Article 6 (1), paragraph a, b or f of the GDPR. In cases covered by the Danish Act on Measures to Prevent Money Laundering and Terrorist Financing, we collect identification data etc. on our clients in order to comply with the requirements of that Act. The authority for this processing is laid down in section 11 of the Act on Measures to Prevent Money Laundering and Terrorist Financing.
In connection with applications, we generally process personal data with authority in Article 6 81), paragraph b of the GDPR, as the data have been forwarded by the applicants themselves in order to obtain employment. Processing of personality tests, logical tests, etc. is also authorised in Article 6 (1), paragraph f of the GDPR or via consent, cf. Article 6 (1), paragraph a, and - as far as sensitive data are concerned - Article 9 (2), paragraph a of the GDPR and section 12 of the Data Protection Act.
We will not make personal data available to any third parties for the purpose of marketing or the like.
We only transfer personal data if it is necessary for us to be able to safeguard our clients’ above-mentioned interests. The typical recipients of such data are authorities, courts, opponents and their advisers. In cases covered by the Act on Measures to Prevent Money Laundering and Terrorist Financing, we transfer identification data etc. to the extent we are obligated to do so under the Act.
We usually do not transfer data outside the EU, and if such transfer might take place, it will occur only in compliance with the necessary safeguards as required under current data protection legislation.
We transfer personal data to our systems suppliers, Mimecast and HighQ, under processor agreements and for the sole purpose of enabling us to use the relevant IT systems.
We have taken appropriate technical and organisational measures to protect against unauthorised access to, loss or destruction of data for which we are responsible. We develop our security policies and procedures on a regular basis to ensure that our systems are secure and protected. Only persons with a legitimate need for processing personal data for the above-mentioned purposes have access to those data.
We store personal data as long as there is a relevant legal interest therein, which is usually determined based on a specific assessment of the significance of the data compared with the current statute of limitations. If there is a relevant legal interest, data may be stored for up to 10 years after the case has been closed.
In cases covered by the Act on Measures to Prevent Money Laundering and Terrorist Financing, we store identification data for five years after the case has been closed., according to the current rules.
The data subject’s rights
According to the GDPR, the data subject is entitled:
- to have insight into the personal data processed by us;
- to have incorrect data deleted;
- in special cases, to have data deleted before our general deletion takes place;
- to limit processing so that processing - except for storage - may only take place in the future subject to consent or for the purpose of establishing, exercising or defending a legal claim or to protect a person or important public interests;
- in certain situations, to object to our legal processing of your personal data;
- to receive the registered personal data in a structured, commonly used and machine-readable format and to have the data transferred from one controller to another without hindrance.
In connection with the data subject’s exercise of the above-mentioned rights, we may demand relevant identification.
For more information on your rights, see the Danish Data Protection Agency’s guidelines describing the data subject’s rights on www.datatilsynet.dk.
You may file a complaint with the Danish Data Protection Agency if you are dissatisfied with our processing of your personal data. You can find the contact details of the Danish Data Protection Agency on www.datatilsynet.dk.
This information has been updated in May 2018 and will be updated on a regular basis according to the current rules and practice and in line with any adjustments of our procedures.