Privacy policy - Littler Norway
1 Introduction
Littler advokatfirma AS (“Littler Norway”, or “us”, “we”, and “our”) takes the protection of personal data seriously and is committed to processing your personal data in a lawful, secure and safe manner.
This Privacy Notice explains how Littler Norway process your personal data, and your rights as a data subject in this regard.
Littler Norway is the data controller in relation to the personal data that we process. For contact information, please see clause 9 below.
2 Categories of data subjects
This Privacy Notice applies to the following categories of data subjects (natural persons):
- Individuals who are our clients
- Contact persons with our corporate clients or prospective clients
- Individuals who are involved in cases that we handle
- Contact persons with our suppliers and business partners
- Individuals who are applying for a position with us
- Individuals who otherwise are in contact with us, such as individuals who attend our seminars and individuals who subscribe to our newsletter
3 Relevant processing purposes and lawful bases
3.1 Establishment of client relationship
Prior to the establishment of an engagement, we conduct a conflict check. Such conflict checks may involve collecting and processing information such as the name of the client, the matter concerned and the name of the opponent. The basis for processing is Article 6(1)(c) of the EU General Data Protection Regulation (“the GDPR”) (processing is necessary for compliance with a legal obligation to which the controller is subject). The processing is necessary to comply with our obligations under the code of conduct for lawyers. The basis for processing may also be Article 6(1)(f) of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller). We have a legitimate interest in behaving ethically correct.
Littler Norway is a member of Littler Global, a Swiss association of law firms (“Verein”) established under Swiss legislation. In connection with our procedures for conflict checks, information such as the name of the client, the matter concerned and the name of the opponent, may be conveyed to Littler Mendelson PC (a member firm in Littler Global), in order for them to conduct a global conflict check. The basis for processing is Article 6(1)(f) of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller). We have a legitimate interest in fulfilling our legal obligations and to safeguard our clients’ best interests. The processing involves transfer of data out of the EEA. The basis for such processing is Article 46(2)(c) of the GDPR (standard data protection clauses adopted by the Commission). You can read more about the Standard Contractual Clauses on the official website of the European Commission here.
Further, we process personal data to comply with our obligations under the Norwegian Anti-Money Laundering Act. We conduct due diligence measures where required, including identity checks. The basis for processing is Article 6(1)(c) of the GDPR (processing is necessary for compliance with a legal obligation to which the controller is subject).
We collect and process relevant contact information upon the establishment of a client relationship. For corporate clients, we collect the name, telephone number and e-mail address of contact persons. The basis for processing is Article 6(1)(f) of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller). We have a legitimate interest in assisting the client. For private clients, we collect the name, address, e-mail address and phone number of the client. The basis or processing is Article 6(1)(b) of the GDPR (processing is necessary for the performance of a contract to which the data subject is party).
3.2 Administration of client relationships
We process contact information to administrate our client relationships, including invoicing. For corporate clients, the basis for processing is Article 6(1)(f) of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller). We have a legitimate interest in invoicing. For private clients, the basis for processing is Article 6(1)(b) of the GDPR (processing is necessary for the performance of a contract to which the data subject is party).
3.3 Legal services
When we provide legal services, we normally receive and process personal data regarding the parties, opponents and/or other individuals involved in the case. Such information may appear in documents we receive from the clients or others.
For corporate clients, the basis for processing is Article 6(1)(f) of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller). We have a legitimate interest in fulfilling our contractual obligations and providing services to our clients. For private clients, the basis for processing is Article 6(1)(b) of the GDPR (processing is necessary for the performance of a contract to which the data subject is party).
The processing of sensitive personal data about clients and third parties is GDPR article 9(2)(f) (the processing is necessary for the establishment, exercise or defence of legal claims). The basis for processing sensitive personal data after the assignment is fulfilled is GDPR article 9(2)(f) (the processing is necessary for the establishment, exercise or defence of legal claims).
3.4 Archiving purposes
We normally retain all documents in relation to a case, for ten years.
The basis for processing is Article 6(1)(f) of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller). We have a legitimate interest in being able to document the work with the client and on the case, for example in connection with professional liability for lawyers.
The basis for processing sensitive personal data is GDPR article 9(2)(f) (the processing is necessary for the establishment, exercise or defence of legal claims).
3.5 Recruitment for employment
We receive and process personal data in connection with recruitment for positions with us. We process personal data such as name, date of birth, diploma, CV and contact information. We only process information that is necessary to assess whether the candidate is suitable to fill the position in question.
The basis for processing is Article 6(1)(f) of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller). We have a legitimate interest in assessing whether the applicants are suited to the positions in question, in communicating with applicants and in recruiting staff.
Information may be kept after the recruitment process is finished. The basis for such processing is Article 6(1)(a) of the GDPR (the data subject has given consent to the processing of his or her personal data for one or more specific purposes). The purpose of such processing is to be able to assess the applicant for open positions in the future.
3.6 Contractors and business partners
Littler Norway collects and processes information about contact persons with suppliers and business partners, including contact information and titles.
The basis for processing is Article 6(1)(f) of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller). We have a legitimate interest in administering our relationship with suppliers and partners, and to fulfil our contractual obligations.
We may also process personal data for purposes that are not incompatible with the original purpose for which the data was collected, including fulfilling our legal obligations, and where use of personal data may be required if we as a law firm become involved in legal proceedings.
3.7 Information on seminars etc.
In connection with seminars or events hosted by Littler Norway, contact information about participants will be processed. The basis for processing is Article 6(1)(b) of the GDPR (processing is necessary for the performance of a contract to which the data subject is party).
3.8 Distribution of newsletters
We send out newsletters by e-mail to individuals who have expressly subscribed to the newsletter, and individuals who are private clients and contact persons with corporate clients who have received legal services or been in contact with us during the latest years or have signed up for events hosted by us.
The personal data which are processed includes name and e-mail address as well as information about behaviour patterns, i.e. whether the newsletter is opened, and whether the receiver has clicked on links provided in the newsletter. The purpose of the latter is to understand what content the subscribers find interesting.
For persons who have expressly subscribed to the newsletter, the basis for processing is Article 6(1)(a) of the GDPR (the data subject has given consent to the processing of his or her personal data for one or more specific purposes). For other persons, the basis for processing is Article 6(1)(f) of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller). We have a legitimate interest in sending information and marketing communications to clients and persons who otherwise are in contact with us.
The subscribers may at any time unsubscribe our newsletter by clicking the link in the newsletter, or by sending us an email at:
4 Information security
Littler Norway has implemented technical and organisational measures in order to manage risk in a satisfactory manner, including safeguarding confidentiality, integrity, availability and robustness in the information systems.
5 Recipients
Our lawyers and staff are subject to a duty of confidentiality. Information will not be disclosed to a third party unless we have a lawful basis for such disclosure.
We may disclose personal data if we are required by law to do so and/or it is necessary for the provision of legal services. Categories of recipients may be public authorities, courts of law and/or opponents.
We use data processors to collect, store or otherwise process personal data on our behalf, including suppliers of IT systems and accounting systems. We have entered into data processing agreements with our data processors to ensure that personal data are processed in accordance with the data protection legislation applicable at any given time. The data processors only process personal data on documented instructions from us.
Please note that we are transferring data outside of the EEA while conducting conflict checks. For further information, please see clause 2.1 above.
6 Retention
Littler Norway process personal data for as long it is necessary to fulfil the initial purposes for which they were collected, and for purposes not considered to be incompatible with the initial purposes, including for compliance with our legal obligations.
Below is an overview of the retention period for the different categories of personal data.
Category | Retention time |
Personal data about clients and third parties | Personal data about clients and third parties in the client archive is deleted after 10 years. Personal data which are not included in the client archive, the following retention periods apply)
|
Personal data about job applicants | Deleted when the recruitment process is fulfilled. Upon consent from the applicant, we will store CV, application, work certificates and diploma up to 3 years to assess the applicant for new, relevant positions. |
Personal data about potential clients | Deleted 5 years after registration. |
Personal data about suppliers and partners | Deleted 5 years after the contract is terminated. |
Personal data about seminar/ event participators | Deleted 3 years after the seminar/ event. |
Personal data about newsletter subscribers | Deleted when the subscription is terminated. |
7 Your rights
The GDPR provides several rights for the data subject. As a main rule you have the right to request access to and rectification or erasure of your personal data. Further, you have the right to request restriction of processing, object to the processing as well as the right to claim data portability. You will find more information about your rights at the Norwegian Data Protection Authority’s website: www.datatilsynet.no.
To exercise your rights, please contact us. You will find our contact information under clause 9. We will answer your enquiry as soon as possible, and within 30 days at latest.
If you believe that our processing of personal data does not correspond to the description herein, or otherwise violates the personal data legislation, you may file a complaint to the Norwegian Data Protection Authority. You will find information about how to file a complaint to the Norwegian Data Protection Authority at the Authority’s website: www.datatilsynet.no.
8 Amendments to this Privacy Notice
We reserve the right to modify this Privacy Notice from time to time. We encourage interested parties to review this Privacy Notice on a regular basis. This Privacy Notice was last updated on 4 November 2021.
9 Contact information
If you have any question about this Privacy Notice or our processing of personal data, please contact us by email at: