The relevant personal data rules currently applicable for our processing of personal data are laid down in the General Data Protection Regulation (Regulation no. 2016/679 of 27 April 2016) and the Danish Data Protection Act (Act no. 502 of 23 May 2018).
Our data protection policy relates to our processing of personal data as data controller. We are the data controller in a number of situations, such as when we handle client matters, when we engage new employees and in connection with marketing activities.
1. Whose personal data do we process?
Kammeradvokaten/ Poul Schmith protects and processes the personal data of our clients, opponents, suppliers, employees, partners and recipients of marketing information, etc., in accordance with the law on processing of personal data as applicable at any time.
2. What personal data do we process?
"Personal data" includes any information relating to an identifiable natural person, such as the person's name, e-mail address, personal identification number (CPR number) and address, and to factors specific to the physical, physiological, financial, cultural or social identity of that person. Data on legal persons are not included in the definition of "personal data".
Depending on the nature of the case or inquiry, we process general data, identification data (CPR number), data on criminal offences and sensitive data.
3. Where do the data come from?
We collect personal data directly from you or from a third party, such as clients, public authorities or partners.
4. How do we process the data?
"Processing" of personal data covers any activity involving personal data, such as collection, recording, structuring, organisation, storage, adaptation, alteration, consultation, use or disclosure.
We primarily process personal data about our clients, opponents, suppliers, employees and partners, but only to the extent necessary for the specific purpose and if there is a legal basis for doing so.
In most cases, we need to process general personal data, such as name, title, telephone number and e-mail address. The processing is necessary to enable us to deliver our legal services, submit invoices and perform quality assurance and audit and to comply with the requirements for documentation of identity under the Anti-Money Laundering Act to which we are subject in many matters.
In addition, it may in certain situations be necessary for us to process data on criminal offences and to process sensitive data such as data concerning health.
5. To whom do we disclose your personal data?
We only disclose your personal data to external parties if necessary and if there is a legal basis for doing so. External parties may be public authorities, private businesses or persons, foundations, associations, etc., depending on the nature of the matter. In addition, we pass on data to our data processors (e.g. IT suppliers).
Internally, only employees with a work-related need to see your personal data will be able to access the data.
6. What is the legal basis for our processing of your data?
We collect and process personal data on the following legal basis:
In connection with supply of legal services, we process data on clients, opponents and business partners under the authority of Article 6(1), point (f) of the General Data Protection Regulation (the legitimate interests rule) and Article 9(2), point (f) of the General Data Protection Regulation. This is based among other things on a legitimate interest in establishing, exercising or defending legal claims and in safeguarding the interests of our clients. We also process personal data on our clients under the authority of Article 6(1), point (b) of the General Data Protection Regulation where the processing is necessary for concluding and performing the contract on legal assistance.
We process personal data on participants in courses, training sessions and other events under the authority of Article 6(1), point (b) or Article 6(1), point (f) of the General Data Protection Regulation for the primary purpose of registering the participants, managing the event and issuing relevant course material, evaluation forms etc.
We only process your personal data for marketing purposes and for newsletters if you have given your explicit consent. The processing thus takes place under the authority of Article 6(1), point (a) of the General Data Protection Regulation. We publish personal data on employees or similar on our website and on social media platforms under the authority of Article 6(1), point (f) of the General Data Protection Regulation as part of our legitimate interest in making the content available to our users.
In general, we process personal data when the processing is necessary for compliance with a legal obligation (e.g. under the Anti-Money Laundering Act). This is authorised under Article 6(1), point (c) of the General Data Protection Regulation. We process data on criminal convictions and offences under the authority of Article 10 of the General Data Protection Regulation and section 8 of the Danish Data Protection Act (databeskyttelsesloven). We process CPR numbers (personal identification numbers) under the authority of section 11(2) of the Danish Data Protection Act.
For the purpose of preventing vandalism and burglaries etc., we carry out CCTV surveillance of entrance doors, reception areas, corridors, common areas etc. This is authorised under Article 6(1), point (f) of the General Data Protection Regulation and section 8 of the Danish Data Protection Act based on security interests and considerations and takes place within the framework of the Danish Act on TV Surveillance (tv-overvågningsloven).
7. When do we delete your data?
We will delete your personal data recorded with us when they are no longer necessary for the purpose(s) for which they were collected or processed.
We have internal guidelines for the period of storage of all categories of personal data. The guidelines are determined in accordance with the obligations to which we are subject under applicable law, including documentation and auditing requirements.
8. What are your rights?
You have certain rights under the data protection rules in relation to our processing of data about you.
If you wish to exercise any of those rights, please contact us. You have the following rights:
The right to see the data (right of access)
You are entitled to access the data that we process about you and certain other information.
Right of rectification (correction)
You are entitled to have incorrect data about you corrected.
Right of erasure
In special circumstances you are entitled to have data about you erased before the time of our generally scheduled erasure.
Right of restriction of processing
You are in certain circumstances entitled to restriction of processing of your personal data.
Right to object
You are in certain circumstances entitled to object to our otherwise lawful processing of your personal data.
Right to withdraw consent
Where our processing of your personal data is based on your consent, you are entitled to withdraw your consent at any time. You may do so by contacting us as specified below.
If you choose to withdraw your consent, this will not affect the lawfulness of our processing of your personal data on the basis of your previous consent until the time of the withdrawal. If you withdraw your consent, this will only take effect at the time of the withdrawal.
You can read more about your rights in the Danish Data Protection Agency's guide to the rights of data subjects, available at www.datatilsynet.dk.
9. How do we secure your data?
We comply with the requirements of ISO 27001 in our information security work.
The security measures in our organisation, processes and IT systems are laid down taking into account the nature, scope, context and purpose of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
The measures ensure among other things:
- Encryption of personal data
- Confidentiality, integrity, availability and resilience
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Regularly testing, assessing and evaluating the effectiveness of our measures for ensuring security of processing
10. Contact us
You may contact us if you wish to exercise any of your rights as described in paragraph 8 above, if you wish to complain, or if you have any other questions in relation to our personal data policy.
In this connection, please write to your closest contact person with us or as follows:
Kammeradvokaten/ Poul Schmith
Vester Farimagsgade 23
DK-1606 Copenhagen V
Att.: Sanne Dahl Fredslund
Telephone: + 45 33 15 20 10
11. Complaint to the Danish Data Protection Agency
You may also complain to the Danish Data Protection Agency about our processing of your personal data. See for more information www.datatilsynet.dk.
12. Changes to our data protection policy
Our data protection policy was last updated on 28 November 2018 and will be regularly updated.