Version 2.2 of November 28, 2024
1. Introduction
This privacy notice provides information on how Horten Advokatpartnerselskab ("Horten") processes personal data in cases governed by the Danish Act on Measures to Prevent Money Laundering and Financing of Terrorism (the AML Act). The Danish Financial Supervising Authority has made an unofficial translation of the Act available on their website www.dfsa.dk.
We are required to provide this information under Section 16(1) of the AML Act and Articles 13, 14 and 21 of the General Data Protection Regulation (EU Regulation no. 2016/679 of 27 April 2016) (the "GDPR"). In this privacy notice, we also refer to the Danish Data Protection Act (Act no. 502 of 23 May 2018). The Danish Data Protection Agency has made an unofficial translation of the Act available on their website www.datatilsynet.dk.
In the following, we will inform you about the purposes and legal bases for our processing of personal data, the sources of the data, the recipients of the data, the retention periods and your rights.
We are bound by professional secrecy provisions under the Danish Administration of Justice Act and the Rules of the Danish Bar and Law Society.
2. Controller
Horten Advokatpartnerselskab
CVR no. 33775229
Philip Heymans Allé 7
DK-2900 Hellerup
Denmark
Horten also has offices at Frederiks Plads 36, DK-8000 Aarhus C, and at Godsbanevej 1B, DK-7400 Herning, under the same CVR/TIN number.
3. What are the purposes of the processing?
The AML Act requires that we carry out "know your customer" activities (due diligence) (Chapter 3) and contains provisions on investigation, registration, reporting and record-keeping (Chapter 5).
Horten is required to carry out customer due diligence activities (KYC procedures) before we provide legal services falling within the scope of Section 1(1)(13) of the AML Act to our clients. The obligations include e.g. the identification and legitimization of our clients and lawyers appointed to act on behalf of clients.
The AML Act further requires us to investigate transactions that may be related to money laundering or financing of terrorism. If our KYC procedures do not disprove a suspicion, we are – depending on whether our professional secrecy obligations apply – required to notify the Danish Money Laundering Secretariat or withdraw ourselves from the matter. The notification requirement also applies, if clients refuse to submit identification documents or refuse to cooperate during the KYC procedures.
If we decline a client cooperation, we record the name of the client, the reason for rejection and information about the reviewed documentation, but we do not store collected identification documents.
In an ongoing client relationship, we will occasionally contact you to ensure that our information and copies of identification documents are up to date.
4. What are the legal bases for our processing?
We process personal data on the basis of Article 6(1)(e) of the GDPR (performance of tasks carried out in the public interest).
The public interest is to prevent money laundering and terrorism financing. Horten's legal obligations are stipulated in the AML Act, which requires customer due diligence in Chapter 3 and contains obligations concerning investigation, registration, reporting and record-keeping in Chapter 5.
We process civil registration numbers based on Section 11(2)(1) of the Data Protection Act, cf. Section 11(1)(1)(a) of the AML Act.
If we decline a client cooperation, our legal basis for processing is Article 6(1)(f) of the GDPR as our legitimate interest is to document that we have properly addressed money laundering and terrorism financing risks.
5. Which personal data are processed by Horten?
When we perform KYC checks and conduct investigations, we process information about our clients (individuals and legal persons) and lawyers appointed to act on behalf of clients. If our client is a legal entity, we process data on ownership, control, structure and personal data on beneficial owners, management members and other contact persons.
This usually includes information about name, address, email, phone number, date of birth, civil registration number and status as a politically exposed person (PEP) or whether a person is connected to or is a close associate to a PEP.
We must confirm such information in the form of e.g. a scanned copy of a passport, a driver’s licence, a health insurance card, an equivalent national ID with a unique identification number, a birth certificate, a certificate of baptism and name certificate.
6. Where do we collect the personal data from?
The information originates from the individuals themselves and from the companies and authorities from which we collect data from to comply with our obligations under the AML Act. We verify the information based on documents, data and information obtained from reliable and independent sources such as the Danish CVR - Central Business Register.
7. Does Horten disclose the personal data to others?
The personal data that we collect under the AML Act may be processed only for the purpose of preventing money laundering and terrorism financing.
We do not make personal data available to third parties for other purposes. We will disclose information only to the extent that we are obligated to do so under the AML Act, when our duty of confidentiality does not apply (Section 10 below).
When we set up a client account with a bank, we share personal data with the concerned bank, which is also subject to the AML Act.
If we process a transaction where suspicions arise that the transaction is related to money laundering or terrorism financing, or in other situations in which we are required to notify the Money Laundering Secretariat, we will disclose information only, when we are not restricted by our professional secrecy obligations. In these situations, we share information with our supervisory authority (the Secretariat of the Danish Bar and Law Society) and the Money Laundering Secretariat.
In the event that one of our lawyers changes workplace and transfers their open cases to their new workplace, the lawyer may also bring along KYC documentation collected during KYC procedures in the transferred cases. The purpose of this transfer of personal data is to comply with legal obligations to supervisory authorities, which lawyers and law firms are subject to.
We also disclose personal data to our processors when they process personal data on our behalf and based on our instructions, e.g. processors providing IT systems, backup and support.
8. For how long will Horten retain the personal data?
We delete personal data five years after a case is closed or when a one-off transaction is completed in accordance with Section 30(2) of the AML Act.
We keep documentation that we have granted or refused your request to exercise your personal data rights under the GDPR for five years based on Section 41(7) of the Data Protection Act.
9. Does Horten transfer the personal data to third countries?
In some situations, we transfer personal data to countries outside the EU. In such cases, the transfer is based on the European Commission's Standard Contractual Clauses for data transfers to third countries. You can contact us if you, as a data subject, wish to receive a copy thereof.
10. What are your rights as a data subject?
Below, we have listed the rights under the data protection rules, but please note that there are conditions attached to the use of some of them, and there are exemptions to them, e.g. in the AML Act, the GDPR, the Data Protection Act, the Administration of Justice Act and the Rules of the Danish Bar and Law Society.
If we are under an obligation to investigate (Section 25 of the AML Act) or to report to the authorities (Section 26 of the AML Act), we are legally prevented from informing individuals or granting data subjects access to information about an investigation or a notification to our supervisory authority (the Danish Bar and Law Society) and the Money Laundering Secretariat pursuant to Section 38 of the AML Act.
You have the right to access the data that we process about you, receive a copy of the data and supplementary information. However, as a law firm, we are subject to the rules on professional secrecy under the Administration of Justice Act and the Rules of the Danish Bar and Law Society. Our professional secrecy obligations may justify that we in some cases refuse to provide all or some of the requested information, but it is a case-by-case assessment.
You have the right to have inaccurate personal data about you rectified or completed, if it is incomplete.
In special cases, you have the right to have personal data about you erased, before erasure for the processing generally takes place.
In certain situations, you have the right to have the processing of personal data restricted. When processing is restricted, we may process your personal data in the future - except for storage – only with your consent or for the establishment, exercise or defence of legal claims or for the protection of another person (natural or legal) or important public interest.
In certain cases, you have the right to receive personal data about you in a structured, commonly used and machine-readable format and to have the data transmitted from one controller to another without hindrance.
Right to object: You have the right to object to the processing, when our processing is based on Article 6(1)(e) or (f) of the GDPR, unless the processing of the personal data is for the establishment, exercise or defence of legal claims.
We keep evidence that we have granted or refused your request to exercise your rights under the GDPR for five years.
You can read more about your rights in the Danish Data Protection Agency’s guidelines about data subjects' rights, which can be found at www.datatilsynet.dk.
11. Complaints to the Data Protection Agency
You have the right to submit a complaint to the Data Protection Agency about our processing of your personal data. For more information, please visit the website of the Danish Data Protection Agency: www.datatilsynet.dk.
12. Questions?
You are welcome to contact Horten’s internal compliance team by email at intern-compliance@horten.dk or by phone at +45 33 34 40 00 (the reception) if you have questions or wish to exercise your rights.
You are welcome to contact Horten's AML team by email at AML.control@horten.dk or by phone at +45 33 34 40 00 (the reception), if you have questions about the documentation requested in connection with the KYC procedures in a specific case.