Last updated: February 23rd 2022.
1. When is Bing Hodneland a controller?
2. Which personal data we collect, and why we collect it?
We collect and process your personal data for different purposes, depending on who you are and how you get in contact with us. We primarily process personal data in order to offer our clients our legal advice and services.
First and foremost, we process personal data based on the contract we enter into with you as our client. We are also subject to a number of laws that require that we process personal data.
Sometimes we process personal data because it is in our legitimate interest to process it. When we process data based on legitimate interest, we have performed a balancing of interests and have concluded that the individual’s interest does not override our legitimate interest. You have the right to object to our processing of personal data on the basis of legitimate interest, and may do so by contacting us.
We process personal data for the following purposes:
Establishing and maintaining client relations. In terms of client relations, we process contact information, documentation of identity, payment information, etc. For private clients, our lawful basis is the performance of the contract we enter into with our private clients. For corporate clients, our lawful basis is our legitimate interest; this applies to personal data about contact persons for corporate clients and other information that is processed in relation to corporate clients. For both private and corporate clients, it follows from the order confirmation (and therefore a contract) that we must process certain personal data in order to complete an agreed matter. Certain acts of processing must be completed before the agreement is entered into. In addition, Bing Hodneland is required by law to process personal data when we establish and maintain a client relationship, such as the Anti-Money Laundering Act.
Case handling. In relation to case handling, we process personal data that is necessary for the case in question. We process personal data that is required to fulfil our contractual obligations with our clients, and our legal obligations as lawyers subject to the Regulation for advocates and other legal obligations depending on the matter in question, such as the Act relating to the Courts of Justice, the Dispute Act, and the Public Administration Act. . In addition to the fulfilment of a contract and legal obligation, consent may be the legal basis for processing (this will vary on a case by case basis, and different legal bases can apply to one case).
Information concerning opposing parties and other third parties. We process personal data as required to fulfil our obligations in the case in question. We process personal data to fulfil our contract with our client, as well as pursuant to legal obligations. We process personal data necessary for our commercial considerations and the code of conduct for Norwegian lawyers. If we process special categories of personal data, the legal basis is GDPR article 9 (2) f), where processing is necessary for the establishment, exercise or defence of legal claims.
Criminal judgements and offenses. The GDPR and the Norwegian Personal Data Act do not apply to cases pursuant to Norwegian procedural laws (the Courts of Justice act, the Criminal Procedure Act, the Dispute Act, the Enforcement Act), and it does not apply to matters that are processed pursuant to the Police Databases Act or the regulation concerning processing of personal data in the criminal justice system (“Forskrift om behandling av personopplysninger i kriminalomsorgen”). We may need to process personal data in situations where the Personal Data Act applies. In that case, we process personal data as necessary for the matter in question. We process personal data in order to establish or defend legal claims.
Real estate agency. Bing Hodneland acts as a real estate agent for certain clients. We process personal data of property owners, bidders, and buyers of real estate where Bing Hodneland acts as an assistant party in drawing up a contract, real estate agent or as responsible for the settlement. In the course of this work, Bing Hodneland processes data concerning identification, economic data, contact information, payment information, and information concerning bidders, etc. We process personal data on the basis of fulfilling a contract or consent. We are also required by law to process personal data as part of our property management work. For instance, we are subject to requirements in the Anti-Money Laundering Act and the Norwegian act governing real estate agents (“Eiendomsmeglerloven”).
Property management. Bing Hodneland acts as a property manager and business manager for some of our clients. We process personal data of tenants, owners of condominiums, and other interested parties. We process personal data concerning identification, data concerning the data subject’s economy, capacity to pay, and contact information. In our property management work, we might process special categories of personal data, such as health data. We process personal data in order to fulfil our contractual obligations. In addition, Bing Hodneland is subject to legal obligations to process personal data, such as the Anti-Money Laundering act and bookkeeping laws. We process special categories of personal data when the data subject has consented unequivocally to the processing in accordance with GDPR article 9 (2) (a), or the processing is necessary for the Controller or data subject to exercise specific rights in the field of employment and social security and social protection law, in accordance with GDPR article 9 (2) (h).
Archiving case files. We process personal data that is necessary in relation to a specific case. We process personal data on the basis of our legal obligation to archive ongoing and closed cases.
Billing. In order to bill we process contact information and payment information. For private and corporate clients, we process personal data on the basis of the contractual relationship we have with the client.
Marketing. We process names and e-mail addresses to send our newsletter, and occasionally for other marketing purposes. We process personal data based on consent from the person receiving the marketing, or pursuant to The Marketing Control Act (“markedsføringsloven”) section 15. Recipients are normally private clients or a contact person with a corporate client. You can withdraw your consent at any time. You can withdraw your consent getting in touch with us, or by clicking the unsubscribe link in the newsletter. If you do not wish to receive communications from us as part of our marketing efforts, you can send an e-mail to firstname.lastname@example.org.
Information about potential clients. In the process of entering into an agreement we process the necessary personal data about physical persons relevant for each client. . If we wish to include a client in a ranking, in a tender or otherwise publish information about a client, we will ask the client in question for consent for such publishing.
Knowledge management (e.g. re-use of documents). We process personal data on the basis of our legitimate interest for the purpose of knowledge management. We only process the personal data that is necessary for the case in question. We have concluded that the processing is necessary for internal knowledge sharing, and to ensure efficiency. We will as far as possible anonymise personal data in documents used for knowledge sharing purposes.
Recruitment. For recruitment purposes, we process your CV, cover letter, written and oral references, transcripts/diplomas, internal interview notes, and any personality/skills tests. We process personal data based on the contract with the person who applies for a job with us. If we keep an application after the end of a recruitment process, we only do so with the applicant’s consent.
Security. For security reasons, we perform logging on our servers, uncovering and resolving security incidents. We process personal data based on our legitimate interest. We have concluded that the processing is necessary in order to maintain information security and ensure that there is no unauthorised access to or disclosure of personal data.
3. To whom do we disclose your personal data
We do not disclose or transfer personal data to others unless we have a legal basis or obligation to do so. A typical instance where we would disclose personal data is a legal obligation that requires us to disclose information to an opposing party, the courts or other public bodies.
Bing Hodneland employs processors to process personal data on our behalf. When we do, we enter into all the necessary agreements in accordance with applicable data privacy legislation to ensure information security, and to adhere to the legal requirements for such agreements in all stages of processing.
We employ the following processors:
- Teknograd – supplier of IT service management
- Regnskap og Eiendom AS – supplier of payroll and bookkeeping systems
- Deltek AS – supplier of accounting systems.
All processing acts that we act as a controller for, is done in countries within the EU/EEA.
4. How long do we retain your data
We retain your personal data only for the period necessary to fulfil the purposes for which the data was collected.
This means that, for instance, personal data we process based on your consent will be deleted if you withdraw your consent. In certain circumstances we are obliged to continue processing your personal data due to a legal obligation. Personal data we process based on a contract with you will be deleted when the contract is fulfilled, and all the duties that flows from the contractual relationship have been fulfilled. Personal data we process to fulfil a legal obligation will be deleted when the law in question allows for deletion. This for example the case for bookkeeping and accounting.
Up to 10 years after the closure of the last case
Storage of case documents
Up to 10 years after the closure of the last case
Up to 5 years after the end of the fiscal year in which the billing was done
Information concerning potential clients
Up to 5 months
Knowledge management (e.g. re-use of documents)
Up to 10 years
Up to 3 months after the application deadline. Upon the applicant’s consent, we will store the CV, application letter, letters of recommendation and diplomas for up to 2 years, for the potential use for new and relevant job opportunities.
Up to 1 year
Security backup copies
Up to 3 years
5. Your rights as a data subject
You have a right to access the personal data we hold about you, as well as require us to correct any inaccuracies and the right to request that we erase your personal data. In certain circumstances, you have a right to restrict or object to our use of your personal data. If you have consented to our processing of personal data, you can withdraw your consent at any time. This will take effect for future processing of personal data where consent is the legal basis.
To exercise your rights you must get in touch with us by e-mail or telephone. We will respond to your enquiry as quickly as possible, and no later than 30 days after receiving it. We will ask you to confirm your identity or to give us further information before we let you exercise your rights pursuant to applicable data privacy laws. We do this to ensure that we do not disclose your personal data to anyone other than you.
If you believe that our processing of personal data is not in accordance with what we have described here, or you have a concern or complaint about the way in which we process your personal data, you can send us an e-mail at email@example.com (please add “Complaint data privacy” to the subject line). If your complaint is not upheld, you can also make a complaint with the Norwegian Data Protection Authority. You can find more information about how you can get in touch with the Norwegian Data Protection Authority on its website www.datatilsynet.no/en/.