Privacy notice for debtors in the debt collection process

Version 1.3 of March 20th 2024

1. Introduction

This privacy notice provides information on how Horten Advokatpartnerselskab ("Horten" and "we") processes personal data about debtors ("you") in debt collection cases and invoice case management (collectively referred to as collection cases).

We are required to provide this information under Articles 13, 14 and 21 of the General Data Protection Regulation (EU Regulation no. 2016/679 of 27 April 2016) (the “GDPR”). In this privacy notice, we also refer to the Danish Data Protection Act (Act no. 502 of 23 May 2018) (The DPA).

In the following, we will inform you about the purposes and legal bases for our processing of personal data, the sources of the data, the recipients of the data, the retention periods and your rights under the GDPR.

We are bound by professional secrecy provisions under the Danish Administration of Justice Act and the Rules of the Danish Bar and Law Society regarding client-related information.

You are welcome to contact Horten’s internal compliance team at intern-compliance@horten.dk or by phone +45 33 34 40 00 (the reception) if you have any questions or wish to exercise your rights.

2. Data controller

Horten is the data controller of the processing of personal data that we collect and receive about you in the debt collection process where Horten, representing the creditor, has been requested to recover creditor's unpaid debt from you.

Our legal information is as follows:

Horten Advokatpartnerselskab
CVR no. 33775229
Philip Heymans Allé 7
DK-2900 Hellerup
Denmark

We also have offices at Frederiks Plads 36, DK-8000 Aarhus C, and at Godsbanevej 1B, DK-7400 Herning, under the same CVR/TIN number.

3. Closed-circuit television (cctv)

If you visit Horten’s offices, you are hereby informed that we monitor entrances and parking basements through CCTV as part of our security measures and for prevention and detection of crime. We base this processing on our our legitimate interest in securing our buildings and information (Article 6(1)(f) of the GDPR). CCTV surveillance is carried out in accordance with the Danish Television Surveillance Act.

We will pass on CCTV images to the police, if there is an incident that requires this.

4. The processing of personal data in connection with collection cases

4.1 What are the purposes of the processing?

In debt collection cases, Horten's assignment, as a lawyer, is to collect our client's outstanding claim against you. We do this through e.g. a voluntary installment plan or through enforcement actions, including e.g. in the form of legal court proceedings arising from the debt collection process, repossession of a financed asset or forced sale of a mortgaged asset.

In invoice case management, Horten's assignment, as a lawyer, is to manage out client's reminder service for outstanding claims against you.

4.2 What kind of personal data does Horten process and where do we collect it?

In collection cases, we usually receive your contact details (name, address, phone number and email) and information about the debt from our client (creditor).

In addition, we may in debt collection cases receive your civil registration number and information about your circumstances related to the debt, financial situation, occupation, family, health and criminal offence data.

We may receive this information directly from you, your lawyer or another consultant in writing, during phone calls or court hearings. In the bailiff court, you are required to answer questions about your financial situation. However, in other situations you may choose which information you wish to share with us.

We process only information about your health or other sensitive personal data if it is necessary to establish a claim or collect the debt, and if you have provided us with the information yourself, or if you have made the information public yourself.

Additionally, we collect information from publicly available sources about your financial situation. At the beginning of the case, we validate the data that we have received from our client (creditor).

The data validation process includes searching:

• Kreditsikring (Experian) or public authorities (address)
• BIQ (address, phone search and real estate)
• Tinglysning and LIFA (real estate)
• RKI (registered debtors)
• Statstidende and Kreditsikring (Experian) (insolvency proceedings, debt discharge, bankruptcy and death)

When relevant, we collect information about asset financing, which may include searching:

• The Register of Motor Vehicles (ownership, user and insurance status)
• Your insurance company and Insurance & Pension Denmark's EDI system (hull insurance)
• Tinglysning (car lien)

4.3 What are the legal bases for Horten’s processing?

We process general personal data based on our legitimate interest in our client (creditor) recovering unpaid debt from you (Article 6(1)(f) of the GDPR). In addition, we process general personal data to enforce and defend legal claims (Article 6(1)(f) of the GDPR).

We process special categories of personal data, depending on the circumstances, to establish, exercise or defend a legal claim (Article 9(2)(f) of the GDPR) or when you have made the data public yourself (Article 9(2)(e) of the GDPR).

We process information about criminal offence data when it is necessary to safeguard a legitimate interest in the case that overrides your interests (DPA section 8(3), second sentence, and Article 10 of the GDPR), and when the processing is necessary to establish, exercise or defend a legal claim (DPA sections 8(3)).

We process civil registration numbers for the purpose of enforcing or defending a legal claim (DPA sections 11(2)(4) and 7(1) and Article 9(2)(f) of the GDPR) and when we e.g. comply with legal reporting obligations to public authorities (DPA 11(2)(1)).

4.4 Does Horten disclose the personal data to others?

We are bound by professional secrecy provisions under the Danish Administration of Justice Act and the Rules of the Danish Bar and Law Society regarding client-related information.

We disclose personal data only if it is necessary in order to safeguard our client’s interests.

As part of our case management, it may be necessary to share your personal data with e.g.:

• Our client (creditor)
• The police
• Courts
• Authorized debt collection consultants
• Collaborative law firms and lawyers appearing on behalf of Horten
• Carriers, locksmiths, workmen, auction houses etc. engaged by Horten as part of the debt collection process
• Skatteforvaltningen (Danish Customs and Tax Authorities), your landlord or others who should receive notification about the seizure of your assets
• Insurance companies
• Gældsstyrelsen (the Danish Debt Collection Agency) (tax refund offset)
• Credit rating agencies, e.g. RKI Kredit Information A/S, Debitor Registret A/S and other credit rating agencies (registration of you as a so-called "bad payer")
• Nets (registration of payment agreement)
• Statstidende

We may also disclose personal data about you to public authorities if it is necessary for compliance with legal obligations, including reporting obligations, which we are subject to.

Furthermore, we disclose personal data to our data processors, who process personal data on our behalf and based on our instructions, for example providers of IT systems, backup and support.

4.5 Does Horten transfer the personal data to third countries?

In some situations, we transfer personal data to countries outside the EU/EEA. In such cases, the transfer is based on the European Commission's Standard Contractual clauses on data transfers to third countries (SCC). You can contact us if you, as a data subject, wish to receive a copy thereof.

4.6 Do automated decision-making and profiling occur?

We do not employ automated decision-making. We do use debtor rating based on whether you are registered in RKI (registered debtors), own real estate, and whether your place of residence is known or unknown.

We only employ debtor rating internally at Horten, which is automatically deleted after your case is closed.

4.7 For how long will Horten retain the personal data?

We will retain your personal data for as long as the information is necessary for the purposes for which they are being processed. When you are registered as a debtor in a collection case, we retain relevant personal data, generally for at least five years from the date of completion of the collection case in question, after which the data is deleted.

Data may be retained for up to 10 years after the case has been closed, if Horten has a relevant legitimate interest.

4.8 What are your rights as a data subject?

Below, we have listed the rights under the data protection rules, but please note that there are conditions attached to the use of some of them, and there are exemptions to them under the GDPR, the DPA, the Administration of Justice Act and the Rules of the Danish Bar and Law Society.

If our processing is based on your consent, you may at any time withdraw your consent. Withdrawal of your consent does not affect the lawfulness of the processing based on the consent before the withdrawal.

You have the right to access the data that we process about you, receive a copy of the data and supplementary information. However, as a law firm, we are subject to the rules on professional secrecy under the Administration of Justice Act and the Rules of the Danish Bar and Law Society regarding client-related information. Our professional secrecy obligations may justify that we in some cases refuse to provide all or some of the requested information, but it is a case-by-case assessment.

You have the right to have inaccurate personal data about you rectified or completed, if it is incomplete.

In special cases, you have the right to have personal data about you erased, before erasure for the processing generally takes place.

In certain situations, you have the right to obtain restriction of processing of your personal data. If the data processing is restricted, we may process your personal data in the future – except for storage – only with your consent or for the establishment, exercise or defence of legal claims or for the protection of another person (natural or legal) or important public interests.

In certain cases, you have the right to receive personal data about you in a structured, commonly used and machine-readable format and to have the data transmitted from one controller to another without hindrance.

Right to object: You have the right to object to the processing, when our processing is based on Article 6(1)(f) of the GDPR, unless the processing of the personal data is necessary for the establishment, exercise or defence of legal claims. You also have the right to object to processing for direct marketing purposes.

We retain evidence that we have granted or denied your request to exercise your rights under the GDPR for five years.

You can read more about your rights in the Danish Data Protection Agency’s guidelines about data subjects' rights, which can be found at www.datatilsynet.dk.

4.9. Complaints to the Data Protection Agency

You have the right to submit a complaint to the Data Protection Agency about our processing of your personal data. For more information, please visit the website of the Danish Data Protection Agency: www.datatilsynet.dk.

If you have any questions about the processing of your personal data or the exercise of your rights, you are welcome to contact us using the contact details in section 1.