Last updated: January 4 2023.
1. When is Bing Hodneland a controller?
2. Which personal data we collect, and why we collect it?
We collect and process your personal data for different purposes, depending on who you are and how you get in contact with us. We primarily process personal data in order to offer our clients our legal advice and services.
First and foremost, we process personal data based on the contract we enter into with you as our client. We are also subject to a number of laws that require that we process personal data.
Sometimes we process personal data because it is in our legitimate interest to process it. When we process data based on legitimate interest, we have performed a balancing of interests and have concluded that the individual’s interest does not override our legitimate interest. You have the right to object to our processing of personal data on the basis of legitimate interest, and may do so by contacting us.
We process personal data for the following purposes:
Establishing and maintaining client relations. In terms of client relations, we process contact information, documentation of identity, payment information, etc. For private clients, our lawful basis is the performance of the contract we enter into with our private clients. For corporate clients, our lawful basis is our legitimate interest; this applies to personal data about contact persons for corporate clients and other information that is processed in relation to corporate clients. For both private and corporate clients, it follows from the order confirmation (and therefore a contract) that we must process certain personal data in order to complete an agreed matter. Certain acts of processing must be completed before the agreement is entered into. In addition, Bing Hodneland is required by law to process personal data when we establish and maintain a client relationship, such as the Anti-Money Laundering Act.
Case handling. In relation to case handling, we process personal data that is necessary for the case in question. We process personal data that is required to fulfil our contractual obligations with our clients, and our legal obligations as lawyers subject to the Regulation for advocates and other legal obligations depending on the matter in question, such as the Act relating to the Courts of Justice, the Dispute Act, and the Public Administration Act. . In addition to the fulfilment of a contract and legal obligation, consent may be the legal basis for processing (this will vary on a case by case basis, and different legal bases can apply to one case).
Information concerning opposing parties and other third parties. We process personal data as required to fulfil our obligations in the case in question. We process personal data to fulfil our contract with our client, as well as pursuant to legal obligations. We process personal data necessary for our commercial considerations and the code of conduct for Norwegian lawyers. If we process special categories of personal data, the legal basis is GDPR article 9 (2) f), where processing is necessary for the establishment, exercise or defence of legal claims.
Criminal judgements and offenses. The GDPR and the Norwegian Personal Data Act do not apply to cases pursuant to Norwegian procedural laws (the Courts of Justice act, the Criminal Procedure Act, the Dispute Act, the Enforcement Act), and it does not apply to matters that are processed pursuant to the Police Databases Act or the regulation concerning processing of personal data in the criminal justice system (“Forskrift om behandling av personopplysninger i kriminalomsorgen”). We may need to process personal data in situations where the Personal Data Act applies. In that case, we process personal data as necessary for the matter in question. We process personal data in order to establish or defend legal claims.
Real estate agency. Bing Hodneland acts as a real estate agent for certain clients. We process personal data of property owners, bidders, and buyers of real estate where Bing Hodneland acts as an assistant party in drawing up a contract, real estate agent or as responsible for the settlement. In the course of this work, Bing Hodneland processes data concerning identification, economic data, contact information, payment information, and information concerning bidders, etc. We process personal data on the basis of fulfilling a contract or consent. We are also required by law to process personal data as part of our property management work. For instance, we are subject to requirements in the Anti-Money Laundering Act and the Norwegian act governing real estate agents (“Eiendomsmeglerloven”).
Property management. Bing Hodneland acts as a property manager and business manager for some of our clients. We process personal data of tenants, owners of condominiums, and other interested parties. We process personal data concerning identification, data concerning the data subject’s economy, capacity to pay, and contact information. In our property management work, we might process special categories of personal data, such as health data. We process personal data in order to fulfil our contractual obligations. In addition, Bing Hodneland is subject to legal obligations to process personal data, such as the Anti-Money Laundering act and bookkeeping laws. We process special categories of personal data when the data subject has consented unequivocally to the processing in accordance with GDPR article 9 (2) (a), or the processing is necessary for the Controller or data subject to exercise specific rights in the field of employment and social security and social protection law, in accordance with GDPR article 9 (2) (h).
Archiving case files. We process personal data that is necessary in relation to a specific case. We process personal data on the basis of our legal obligation to archive ongoing and closed cases.
Billing. In order to bill we process contact information and payment information. For private and corporate clients, we process personal data on the basis of the contractual relationship we have with the client.
Marketing. We process names and e-mail addresses to send our newsletter, and occasionally for other marketing purposes. We process personal data based on consent from the person receiving the marketing, or pursuant to The Marketing Control Act (“markedsføringsloven”) section 15. Recipients are normally private clients or a contact person with a corporate client. You can withdraw your consent at any time. You can withdraw your consent getting in touch with us, or by clicking the unsubscribe link in the newsletter. If you do not wish to receive communications from us as part of our marketing efforts, you can send an e-mail to email@example.com.
Information about potential clients. In the process of entering into an agreement we process the necessary personal data about physical persons relevant for each client. . If we wish to include a client in a ranking, in a tender or otherwise publish information about a client, we will ask the client in question for consent for such publishing.
Knowledge management (e.g. re-use of documents). We process personal data on the basis of our legitimate interest for the purpose of knowledge management. We only process the personal data that is necessary for the case in question. We have concluded that the processing is necessary for internal knowledge sharing, and to ensure efficiency. We will as far as possible anonymise personal data in documents used for knowledge sharing purposes.
Recruitment. For recruitment purposes, we process your CV, cover letter, written and oral references, transcripts/diplomas, internal interview notes, and any personality/skills tests. We process personal data based on the contract with the person who applies for a job with us. If we keep an application after the end of a recruitment process, we only do so with the applicant’s consent.
Security. For security reasons, we perform logging on our servers, uncovering and resolving security incidents. We process personal data based on our legitimate interest. We have concluded that the processing is necessary in order to maintain information security and ensure that there is no unauthorised access to or disclosure of personal data.
3. To whom do we disclose your personal data
We do not disclose or transfer personal data to others unless we have a legal basis or obligation to do so. A typical instance where we would disclose personal data is a legal obligation that requires us to disclose information to an opposing party, the courts or other public bodies.
Bing Hodneland employs processors to process personal data on our behalf. When we do, we enter into all the necessary agreements in accordance with applicable data privacy legislation to ensure information security, and to adhere to the legal requirements for such agreements in all stages of processing.
We employ the following processors:
- Intility AS – supplier of IT service management
- Regnskap og Eiendom AS – leverandør av system for lønnskjøring og regnskap
- Deltek Norge AS – supplier of payroll and bookkeeping systems such as Maconomy
- iManage LLC – supplier of cloud service iManage used as case handling system
- PSA Consulting AS – supplier of consultancy services regarding iManage, Maconomy etc.
- Microsoft Ireland Operations Ltd – supplier of standard Microsoft365 such as Outlook and Teams
- Rambøll Management Consulting AS – supplier of PeopleXact used for employee surveys
- Bona Mea AS – supplier of online document sharing services at BonaMea.com
- Admincontrol AS – supplier of data room services as SaaS
- Cvideo AS – supplier of tool for work applicants
- ON Property AS – supplier that register tenants
- Visma Real Estate AS – supplier that delivers the service Webmegler that stores real estate data that may identify seller and/or purchaser, and name, telephone number, e-mail address, mail address and social security number for seller and purchaser
- Evry Norge AS – supplier of eC Trade and EDI services
All processing acts that we act as a controller for, is done in countries within the EU/EEA.
4. How long do we retain your data
We retain your personal data only for the period necessary to fulfil the purposes for which the data was collected.
This means that, for instance, personal data we process based on your consent will be deleted if you withdraw your consent. In certain circumstances we are obliged to continue processing your personal data due to a legal obligation. Personal data we process based on a contract with you will be deleted when the contract is fulfilled, and all the duties that flows from the contractual relationship have been fulfilled. Personal data we process to fulfil a legal obligation will be deleted when the law in question allows for deletion. This for example the case for bookkeeping and accounting.
Up to 10 years after the closure of the last case
Storage of case documents
Up to 10 years after the closure of the last case
Up to 5 years after the end of the fiscal year in which the billing was done
Information concerning potential clients
Up to 5 months
Knowledge management (e.g. re-use of documents)
Up to 10 years
Up to 3 months after the application deadline. Upon the applicant’s consent, we will store the CV, application letter, letters of recommendation and diplomas for up to 2 years, for the potential use for new and relevant job opportunities.
Up to 1 year
Security backup copies
Up to 3 years
5. Your rights as a data subject
You have a right to access the personal data we hold about you, as well as require us to correct any inaccuracies and the right to request that we erase your personal data. In certain circumstances, you have a right to restrict or object to our use of your personal data. If you have consented to our processing of personal data, you can withdraw your consent at any time. This will take effect for future processing of personal data where consent is the legal basis.
To exercise your rights you must get in touch with us by e-mail or telephone. We will respond to your enquiry as quickly as possible, and no later than 30 days after receiving it. We will ask you to confirm your identity or to give us further information before we let you exercise your rights pursuant to applicable data privacy laws. We do this to ensure that we do not disclose your personal data to anyone other than you.
6. When is Bing Hodneland a processor?
Since in our business we ourselves choose the purposes and means for the tools we use to assist clients, we as a law firm are independently responsible for data processing and therefore considered a controller. However, if we process personal data on behalf of a controller, we are considered a processor according to the GDPR.
In the event that a client instructs Bing Hodneland or someone at us to use a specific third-party solution such as e.g. a standard cloud service, we become a data processor from the moment we are given access to or otherwise process personal data on behalf of the client. In such cases, we are obliged to comply with the GDPR as a processor, and in such cases the addendum below applies as a processor agreement between the client as data controller and us as the data processor.
We will as the processor
a) process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Norwegian law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
c) takes all measures required pursuant to GDPR Article 32;
d) respects the conditions referred to in GDPR Article 28 paragraphs 2 and 4 for engaging another processor;
e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in GDPR Chapter III;
f) assists the controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Norwegian law requires storage of the personal data;
h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. With regard to point (h), the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Norwegian data protection provisions.
If you believe that our processing of personal data is not in accordance with what we have described here, or you have a concern or complaint about the way in which we process your personal data, you can send us an e-mail at firstname.lastname@example.org (please add “Complaint data privacy” to the subject line). If your complaint is not upheld, you can also make a complaint with the Norwegian Data Protection Authority. You can find more information about how you can get in touch with the Norwegian Data Protection Authority on its website www.datatilsynet.no/en/.