According to the GDPR, we are required to provide information on our processing of personal data and the rights of data subjects. This information is provided below:
Our collection of data
When advising our clients, we receive various documents and information electronically from our clients, including their staff. These documents and information are stored in a digital case file and in some situations also in a physical case file. The documents and information received from our clients often include personal data, and we often receive additional personal data along the way, e.g. from opponents and their advisers, authorities and courts as well as their contact persons, or by way of publicly available information collected by Horten itself. This may be general personal data such as name and contact details. It may also be civil registration numbers (CPR-nr.) or information on criminal offences; and it may be sensitive personal data about health and union membership. The information may concern our clients or other persons involved in the relevant cases.
Dunning and debt collection
General: We receive information from our clients about the debt. This includes general personal data such as name and contact details, information about the debt and any security.
In addition, depending on the specific case, we may receive information about civil registration numbers, information about criminal offences or sensitive data about e.g. health to the extent relevant for the case.
Upon registration of a case, we validate the data received, via public registers and cooperation partners. This includes verification and check of address data via Kreditvagten (credit warning register) or public authorities, telephone number check, real estate check (land register and LIFA), credit rating check (Experian), check of insolvency proceedings such as debt restructuring, bankrutpcy, death (the Danish Official Gazette and Kreditvagten). If relevant, we will obtain information about financed assets via Motorregisteret (the Danish register of vehicles), Tinglysningen (the Danish land register) and via insurance companies or Insurance & Pension Denmark’s EDI system (information about hull and comprehensive motor insurance).
We use profiling by way of debtor scoring based on information about registrations in the credit rating agency, information about ownership of real estate and information about known or unknown addresses. We do not use personal data for the purpose of automatic case decisions.
In addition to the information we receive from clients or collect in connection with debtor validation, we often receive information from the person who the information concerns. The information received by us includes general personal data such as debts and economic situation, family affairs, etc. We may also receive information from the person which the debt concerns about civil reg. number, criminal offences or sensitive data about e.g. health. In connection with debt collection, we may also receive personal data from third parties, e.g. police-approved debt collectors, the police and the courts, carriers and auctioneers in connection with repossession and forced sales of financed assets.
In the cases where we provide dunning services to our clients, and debt collection has not been initiated, we will usually not receive, obtain or process the data stated above under “Debt collection”, but only the data stated under “General”.
Newsletters and Ret & Indsigt
When a subscriber signs up for Horten’s newsletters and the news magazine Ret & Indsigt, we register name, e-mail-address and legal area of interest. If the subscriber wishes to receive Ret & Indsigt by post, we register name, e-mail-address, title, organisation and address. We use the data to send Horten's newsletters and/or Ret & Indsigt. A few employees at Horten have access to the subscriber list. By means of this information, Horten keeps track of the scope and nature of subscriptions, enabling us to improve our client communication. Subscribers may unsubscribe at any time if they wish to stop receiving newsletters and the news magazine Ret & Indsigt by clicking unsubscribe at the bottom of the e-mail accompanying the newsletter or magazine. Recipients of the printed version of Ret & Indsigt may unsubscribe by sending an e-mail to firstname.lastname@example.org.
When participants sign up for events at Horten, we usually register name and e-mail address, title and organisation for the purpose of holding and communicating about the event. Based on a specific assessment, we may also use the data for preparing lists of participants to be handed out to participants and speakers at our events. More information on this is contained in the sign-up conditions, which must be accepted when signing up for our events.
When receiving applications, we receive various documents from the applicant. The documents are stored in our HR system to which only our recruitment officer has access. The documents contain personal data, e.g. general information such as name, contact details, reference to previous employment, diplomas, civil registration numbers or sensitive data such as health data.
Horten Advokatpartnerselskab, Philip Heymans Alle 7, DK-2900 Hellerup, CVR no. 33775229, is controller of data received in connection with our general advice to clients.
Our contact details are: telephone +45 3334 4000, email@example.com (encrypted e-mail: firstname.lastname@example.org).
If you have any questions about our processing of your personal data, please contact us at: email@example.com.
PURPOSE AND BACKGROUND
We process the data we receive for the purpose of advising our clients in the cases which the data concern. The processing takes place depending on the nature of the assignment and of the data, with authority in Article 6 (1), paragraph b, c or f, Article 9 (2), paragraph f of the GDPR, or section 8 (3) of the Danish Data Protection Act. Generally, the authority to collect and process data is that it is necessary for performing the contract with our clients or for safeguarding our clients’ legitimate interests or establishing, relying on or defending their legal claims. Our processing of civil registration numbers is authorised in section 11 of the Data Protection Act.
In connection with our dunning and debt collection services, we collect our clients’ outstanding receivables, including via repossession of assets financed by the client or forced realisation of charged assets. Our processing of data is authorised in Article 6 (1), paragraph f, Article 9 (2), paragraph f of the GDPR or section 8 (3) of the Data Protection Act. Processing of data about civil registration numbers is authorised under section 11 (2) of the Data Protection Act.
Processing of data in connection with signing up for newsletters, Ret & Indsigt or events is authorised in Article 6 (1), paragraph a, b or f of the GDPR. In cases covered by the Danish Act on Measures to Prevent Money Laundering and Terrorist Financing, we collect identification data etc. on our clients in order to comply with the requirements of that Act. The authority for this processing is laid down in section 11 of the Act on Measures to Prevent Money Laundering and Terrorist Financing.
In connection with applications, we generally process personal data with authority in Article 6 (1), paragraph b of the GDPR, as the data have been forwarded by the applicants themselves in order to obtain employment. Processing of personality tests, logical tests, etc. is also authorised by the GDPR, Article 6 (1), paragraph f, or via consent, cf. Article 6 (1), paragraph a, and as far as sensitive data are concerned, Article 9 (2), paragraph a and section 12 of the Data Protection Act.
We will not make personal data available to any third parties for the purpose of marketing or similar purposes.
We only transfer personal data if it is necessary for us to be able to safeguard our clients’ above-mentioned interests. The typical recipients of such data are authorities, courts, opponents and their advisers. In cases covered by the Act on Measures to Prevent Money Laundering and Terrorist Financing, we transfer identification data etc. to the extent we are obligated to do so under the Act.
In connection with events, we may transfer lists of participants to speakers and the other participants, based on a specific balancing of interests.
We usually do not transfer data outside the EU, and if such transfer might take place, it will occur only in compliance with the necessary safeguards as required under current data protection legislation.
We transfer personal data to our systems suppliers, Mimecast, Nemtilmeld and HighQ, under processor agreements and for the sole purpose of enabling us to use the relevant IT systems.
We have taken appropriate technical and organisational measures to protect against unauthorised access to, loss or destruction of data for which we are responsible. We develop our security policies and procedures on a regular basis to ensure that our systems are secure and protected. Only persons with a legitimate need for processing personal data for the above-mentioned purposes have access to those data.
We store personal data as long as there is a relevant legal interest therein, which is usually determined based on a specific assessment of the significance of the data compared with the current statute of limitations. If there is a relevant legal interest, data may be stored for up to 10 years after the case has been closed.
In cases covered by the Act on Measures to Prevent Money Laundering and Terrorist Financing, we store identification data for five years after the case has been closed, according to the current rules.
THE DATA SUBJECT’S RIGHTS
According to the GDPR, the data subject is entitled:
- to have insight into the personal data processed by us;
- to have incorrect data deleted;
- in special cases to have data deleted before our general deletion takes place;
- to limit processing so that processing - except for storage - may only take place in the future subject to consent or for the purpose of establishing, exercising or defending a legal claim or to protect a person or important public interests;
- in certain situations to object to our legal processing of your personal data;
- to receive the registered personal data in a structured, commonly used and machine-readable format and in some cases to have the data transferred from one controller to another without hindrance (data portability).
In connection with the data subject’s exercise of the above-mentioned rights, we may demand relevant identification.
For more information on your rights, see the Danish Data Protection Agency’s guidelines describing the data subject’s rights on www.datatilsynet.dk.
You may file a complaint with the Danish Data Protection Agency if you are dissatisfied with our processing of your personal data. For more information on the Danish Data Protection Agency, see www.datatilsynet.dk.
This information has been updated in September 2018 and will be updated on a regular basis according to the current rules and practice and in line with any adjustments of our procedures.