top of page

Privacy Policy

Sterk Law Firm

Last updated 15.08.23

This privacy policy applies to Advokatfirmaet Sterk AS ("we" or "us"). We are the data controllers for the processing of personal data as described in this privacy policy. You can find our contact information below.

1. Whose personal data we process

This privacy policy addresses our processing of personal data for the following individuals:
 

Private clients

  • Clients in criminal cases

  • Contact persons at business clients

  • Contact persons at our suppliers and partners

  • Individuals involved in cases we assist with

  • Other persons mentioned in case documents we access

  • Visitors to our website

2. Purposes, types of personal data, and legal basis

Below we have provided an overview of the purposes for which we process personal data, the types of personal data we process, and the legal basis for the processing.

Establishment of client relationship: When we are contacted by a client with a request to take on an assignment, we conduct an internal independence check (conflict clearance) before we potentially accept the assignment. The independence check serves a legitimate purpose and is based on GDPR Article 6(1)(f) (balancing of interests). Conflict checks for private clients typically include full name, the nature of the case, and, if relevant, creditworthiness. Generally, conflict checks on behalf of business clients do not involve processing of personal data.

In connection with the establishment of a client relationship, we will conduct a customer due diligence in accordance with the rules of the Anti-Money Laundering Act. The customer due diligence is necessary to fulfill our legal obligations under the Anti-Money Laundering Act, cf. GDPR Article 6(1)(c).

If we can accept the assignment, contact information is registered. The registration of contact information for private clients is necessary to enter into an agreement with the individual, cf. GDPR Article 6(1)(b). For business clients, the registration of contact information is based on a balancing of interests, cf. GDPR Article 6(1)(f).

Case handling: Some legal assignments involve us gaining access to personal data about parties or other individuals affected by a case. Such information may appear in documents the client forwards or other correspondence in the case. The processing of personal data in connection with assignments for business clients is anchored in GDPR Article 6(1)(f) (balancing of interests). In some cases, we also gain access to sensitive personal data, e.g., health information or criminal convictions and offenses. In such cases, the processing of the information is authorized by GDPR Article 9(2)(f) (processing is necessary for the establishment, exercise or defense of legal claims), cf. the Personal Data Act (new 2018) § 11.

Knowledge management: The processing basis is our interest in utilizing developed knowledge in further advisory services, cf. GDPR Article 6(1)(f) (balancing of interests).

Client administration: Separate case files are created for assignments performed on behalf of the client. Time and costs incurred on a case are registered in our case management system and accounting system. For business clients, what we do in connection with client administration is authorized by GDPR Article 6(1)(f) (balancing of interests), while for private clients it is considered a necessary part of fulfilling the agreement with the individual, cf. GDPR Article 6(1)(b).

Storage and retention of case documents: We retain case documents for 10 years after the assignment is completed. Storage for the specified period is deemed necessary for the sake of both the client and ourselves, as questions or disputes may arise later where the information stored on a case may again become relevant. The legal basis for processing personal data is GDPR Article 6(1)(f) (balancing of interests, cf. the legitimate interest indicated above) and GDPR Article 9(2)(f) (establish, exercise or defend legal claims), cf. the Personal Data Act (new 2018) § 11.

Invoicing: Contact information received from business clients is used to label invoices sent to the business if the client requests this. For private clients, the person's private postal address is used for sending invoices. The processing basis is GDPR Article 6(1)(f) (balancing of interests) for business clients and GDPR Article 6(1)(b) (necessary to fulfill the agreement with the data subject) for private clients.

IT operations and security: Personal data stored in our IT systems may be accessible to us or our suppliers in connection with system updates, implementation or follow-up of security measures, error correction or other maintenance. The processing basis is GDPR Article 6(1)(f) (balancing of interests, cf. our legitimate interest related to the mentioned activities) and our legal obligation to have satisfactory information security, cf. GDPR Articles 32 and 6(1)(c).

Marketing: We send newsletters to email addresses registered for clients to whom we continuously provide legal services and others who have requested our newsletter. Recipients of the newsletter can easily unsubscribe from the service by using the link included in each communication. The processing basis is GDPR Article 6(1)(f) (balancing of interests) where we have received the email address in connection with a legal assignment. If there is an existing customer relationship, the marketing will be done in accordance with the Marketing Act § 15(3). In other contexts, marketing is based on consent from the individual, cf. the Marketing Act § 15(1) and GDPR Article 6(1)(a).

3. Knowledge management:

The legal basis is our interest in utilizing developed knowledge in further advisory services, cf. GDPR Article 6(1)(f) (balancing of interests).
 

Client administration: Separate case files are created for assignments performed on behalf of the client. Time and costs incurred on a case are registered in our case management system and accounting system. For business clients, our client administration activities are based on GDPR Article 6(1)(f) (balancing of interests), while for private clients, it is considered a necessary part of fulfilling the agreement, cf. GDPR Article 6(1)(b).

Storage and retention of case documents: We retain case documents for 10 years after the assignment is completed. Storage for this period is deemed necessary for both the client's and our own interests, as questions or disputes may arise later where the information stored on a case may become relevant again. The legal basis for processing personal data is GDPR Article 6(1)(f) (balancing of interests, cf. the legitimate interest stated above) and GDPR Article 9(2)(f) (establishment, exercise, or defense of legal claims), cf. the Norwegian Personal Data Act (2018) § 11.

Invoicing: Contact information received from business clients is used to mark invoices sent to the company if the client requests this. For private clients, the person's private postal address is used for sending invoices. The legal basis is GDPR Article 6(1)(f) (balancing of interests) for business clients and GDPR Article 6(1)(b) (necessary to fulfill the agreement with the data subject) for private clients.

IT operations and security: Personal data stored in our IT systems may be accessible to us or our suppliers in connection with system updates, implementation or follow-up of security measures, troubleshooting, or other maintenance. The legal basis is GDPR Article 6(1)(f) (balancing of interests, cf. our legitimate interest in the aforementioned activities) and our legal obligation to have satisfactory information security, cf. GDPR Articles 32 and 6(1)(c).

Marketing: We send newsletters to email addresses registered for clients to whom we continuously provide legal services and others who have requested our newsletter. Newsletter recipients can easily unsubscribe from the service using the link included in each communication. The legal basis is GDPR Article 6(1)(f) (balancing of interests) where we have received the email address in connection with a legal assignment. If there is an existing customer relationship, marketing will be conducted in accordance with the Norwegian Marketing Act § 15(3). In other contexts, marketing is based on consent from the individual, cf. the Norwegian Marketing Act § 15(1) and GDPR Article 6(1)(a).

4. Who we share personal data with

Our IT service providers may have access to personal data if personal data is stored with the provider or otherwise available to the provider in accordance with the contract with us.

The providers act in accordance with data processing agreements and under our instructions. The provider may only use personal data for the purposes we have determined and as described in this privacy policy.
 

We use providers located in countries outside the EU and EEA. For the transfer of personal data to these providers, we use the EU's standard contractual clauses for transfers (read more here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en) and/or the EU-US Privacy Shield framework (read more here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en).

Lawyers are subject to a criminal-sanctioned duty of confidentiality pursuant to the Norwegian Penal Code § 111. All information entrusted to us in connection with an assignment is handled confidentially.

We do not disclose personal data in other cases or in ways other than those described in this privacy policy unless the client explicitly requests or consents to this or the disclosure is required by law.

5. Storage of personal data

We store case documents for 10 years before sending them to archive for storage for an additional 20 years.
 

Accounting legislation otherwise requires us to store certain accounting documents for a specified period. When a specific purpose requires storage for a given period, we ensure that personal data is used exclusively for the relevant purpose during this period.

6. Your rights

You have rights regarding personal data that concern you. Which rights you have depends on the circumstances.
 

Withdraw consent: If you have consented to receive our newsletter, you can withdraw this consent at any time. We have made it easy for you to opt out of this type of communication by including a link to an unsubscribe form in each communication. If you have consented to other processing of personal data, you can also withdraw your consent at any time for this processing by contacting us.

Request access: You have the right to access the personal data we have registered about you, as long as this does not conflict with attorney-client privilege. To ensure that personal data is disclosed to the right person, we may require that requests for access be made in writing or that identity is verified in another way.

Request correction or deletion: You can ask us to correct incorrect information we have about you or to delete personal data. We will, as far as possible, comply with a request to delete personal data, but we cannot do this if there are compelling reasons not to delete, for example, that we must store the information for documentation purposes.

Data portability: In some cases, you may have the right to receive personal data you have provided to us in a machine-readable format to have it transferred to another law firm. If technically possible, in some cases there may be an opportunity to have these transferred directly to the other firm.

Complain to the supervisory authority: If you disagree with the way we process your personal data, you can submit a complaint to the Norwegian Data Protection Authority.

7. Security

We have established procedures to handle personal data securely. The measures are both technical and organizational. We regularly assess the security of all central systems used for handling personal data, and agreements have been entered into that require suppliers of such systems to ensure satisfactory information security.

Access to personal data (and client/case information) is limited to personnel who need access to perform their tasks.

We have adopted internal IT guidelines, and we regularly train employees in security and use of IT systems.

8. Changes to the privacy policy

We may make minor changes to this privacy policy. You will always find the latest version on our website. In case of significant changes, we will notify you about this.

Contact us

If you have questions or comments about our privacy policy or you want to exercise your rights,

you can contact us:
 

Advokatfirmaet Sterk
Postboks 203 Sentrum 0103 Oslo

post@advokats.no 
+47 22 46 46 46

bottom of page