Privacy Notice
Processing of Personal Data at Wintherlaw (Advokat Morten Wilhelm Winther)
Wintherlaw, the law firm of Attorney Morten Wilhelm Winther, processes personal data as part of providing legal advice and attorney services to our clients. Such processing is based on the purpose of the business, which is to provide legal advice and attorney services.
This notice explains what personal data we collect, why we collect it, how we use it, how long we keep it, and the legal basis for our processing. While this notice covers most of our data processing activities, there may be instances where we process data differently, particularly in connection with specific client services. In such cases, we will inform the affected individuals separately.
For any questions about how we handle personal data, please contact us using the information provided below.
1. Controller of Personal Data Processing
The law firm Wintherlaw is the data controller, i.e., determines why and how personal data shall be processed, for the processing described below.
Contact information for the data controller:
Advokat Morten Wilhelm Winther
Email: morten@wintherlaw.no
Phone: +4799264773
Organization number: 934 529 685
2. Processing of Personal Data
We collect and use personal data for various purposes depending on your relationship with us and how we interact with you.
All processing of personal data is carried out in compliance with the applicable privacy rules at any time, including the Norwegian Personal Data Act and EU’s General Data Protection Regulation (GDPR).
Personal data is any information about an identified or identifiable natural person (the latter referred to as "data subject").
Processing of personal data is any operation performed on personal data such as collection, recording, organization, structuring, storage, adaptation, alteration, transfer, or deletion.
2.1 Client Assistance
Wintherlaw offers legal services pursuant to the Norwegian Courts of Justice Act Chapter 11 and the Norwegian Act on Lawyers and Others Who Provide Legal Assistance (the Advocacy Act). In providing these services, we need to handle personal information about various individuals involved in each case. This includes not only our clients but also their employees, opposing parties, and other individuals connected to the matter.
Personal data processed will typically include
· Names and contact details
· Communications related to the case
· Information provided in legal documents
· Details about individuals mentioned in case documentation
The initial processing of personal data in the client relationship starts when a potential client reaches out. Following, this, several steps are taken:
· A conflict-of-interest check with existing clients is performed.
· Customer due diligence is conducted in accordance with anti-money laundering laws, which may involve searches in public sources like the Business Register and obtaining identification.
· Contact information is registered when a client relationship is established.
· Information is received and exchanged during the performance of assignments, including the provision of advice and other assistance.
· Knowledge management practices are utilized, leveraging experiences from previous cases to inform current work.
· Invoicing and other administrative tasks are carried out.
Following the initial setup, data processing continues throughout the client relationship in various ways:
· Handling cases and assignments for clients.
· Archiving and storing documents and information.
· Reusing documents as examples, reference documents, or templates, which will be done without processing personal data whenever possible.
· Managing client relationships, including the use of CRM systems.
· Marketing activities, including websites and newsletters (discussed further below).
· Invoicing for assignments.
· Security and system protection measures, including logs.
This data processing is justified by a legitimate interest in providing legal services and assisting clients (GDPR Article 6(1)(f)). This includes managing client relationships, communicating with clients and other involved parties, and interacting with potential clients. This legitimate interest is weighed against the privacy rights of the individuals whose data is processed.
If the client is a private individual, the processing of personal data will occur on the basis of fulfilling an agreement with the person concerned, see GDPR Article 6(1)(b).
Additionally, processing is conducted to comply with legal obligations such as conflict-of-interest checks, anti-money laundering laws, accounting, and archiving (GDPR Article 6(1)(c) and Advocacy Act § 36).
In some cases, special categories of personal data may be processed, such as health information, political opinions, trade union membership, etc., see GDPR Article 9(1). In such cases, the processing of the data has its basis in GDPR Article 9(2)(f) (processing is necessary for the establishment, exercise or defence of legal claims), cf. Personal Data Act § 11. Information about criminal matters may also be processed, which is processed based on GDPR Article 9(2)(a) and (f), cf. Personal Data Act § 11. It is important to note that processing personal data in connection with legal proceedings (under the Courts of Justice Act, Criminal Procedure Act, Dispute Act, and Enforcement Act) falls outside the scope of privacy regulations (Personal Data Act § 2(2)).
The information will either originate directly from the individuals themselves or from third parties, such as contact persons' employers or other parties involved in a case, as part of the assistance provided.
Information will only be shared with third parties when necessary to deliver assistance, for example, with opposing parties, courts, or authorities. The specific details and timing of such transfers depend on the individual case. Beyond these circumstances, personal data will not be shared with third parties.
Data related to the provision of legal services will be retained for 10 years or longer, depending on the nature of the assignment and the information involved, in accordance with the Advocacy Act § 36. Information about who has been a client, the relevant time period, and the nature of the assignment will be stored for the firm's lifetime. Documents sent to the client or necessary to safeguard the client’s interests will be retained for as long as deemed necessary to serve those interests. In general, this period is capped at 30 years in accordance with the recommendations of the Norwegian Bar Association, with such information archived under restricted access.
Accounting materials, including personal data contained within, will be stored for five years after the end of the current accounting year, amounting to a total of six years. Documentation related to establishing client relationships and anti-money laundering controls will be retained for the duration of the client relationship, as required by the Anti-Money Laundering Act § 30 and Anti-Money Laundering Regulations § 6-3.
2.2 Communication and Contact
We process personal data from individuals who contact us to respond to inquiries, document communications, and facilitate further contact when necessary. This applies to all forms of communication, whether physical or digital, written or verbal.
The personal data we process includes names, phone numbers, email addresses, and any additional information provided through the inquiry, including communication history and logs.
Our processing of this information is based on our legitimate interest in managing communications and documenting interactions as part of our business operations, in accordance with GDPR Article 6(1)(f). We have determined that maintaining contact with external parties, documenting our activities, and responding to inquiries are essential to our operations. Furthermore, we have assessed that this processing is necessary for handling inquiries and that these interests outweigh any potential impact on the privacy of the individuals involved.
Providing personal data is voluntary, but it is required for us to address and respond to inquiries effectively.
We retain this information until it is no longer reasonable to expect further follow-up regarding the contact.
2.3 Email
We use email as a communication tool that involves the processing of personal data. This processing is justified by our legitimate interest in using email as an essential work and communication tool, in accordance with GDPR Article 6(1)(f). We have determined that this legitimate interest outweighs any potential impact on the privacy of the individuals involved.
The personal data processed in emails varies depending on the purpose and content of the communication. Emails are deleted when they are no longer needed, and we have implemented measures to ensure regular and systematic deletion of emails. Additionally, our security systems may access emails, but only for automated processing purposes.
2.4 Customers, Suppliers and Partners, etc.
We process personal data about contact persons at current and potential customers (in business relationships), suppliers, and other partners for purposes such as sales and marketing activities, managing relationships with suppliers and partners, delivering and documenting services, and evaluating service usage. This includes processing names, contact details, company names, and information related to interactions with the company the individual represents. For information on the processing of client-related personal data, please refer to the relevant section above.
The processing of this data is based on our legitimate interest (GDPR Article 6(1)(f)) in managing relationships with customers, partners, and suppliers. We have assessed that our legitimate interest outweighs any potential impact on individual privacy.
We also store and disclose information when required by law, such as under accounting and tax regulations. Data is retained as long as necessary, for instance, to document service-related circumstances.
In many cases, providing personal data is necessary to establish agreements with customers and suppliers, including documenting the agreement. Without the required information, we may not be able to enter into such agreements.
Providing personal data is voluntary for contact persons. When we collect personal data from other sources, it typically includes contact information (such as name, address, phone number, and email), position, role, employer, and where relevant, competencies and references. This information is usually sourced from the employer, such as from the company's website, or occasionally from references provided to assess the suitability of suppliers and partners.
We retain this data until the relationship with the customer, supplier, or partner ends, or until the individual ceases to serve as a contact person, except as required by the legal obligations mentioned above.
2.5 Use of Websites / Cookies
No personal data is collected or processed through the website unless you subscribe to newsletters, as described below.
Cookies are used on the website to ensure its functionality and gather statistical insights. For more information about cookies, see here. All cookie usage is conducted without collecting personal data.
Third-party solutions integrated into the website may also use cookies. In such cases, notices and options for managing these cookies will be provided through the respective third-party solutions.
2.6 Newsletters
Newsletters are sent out containing news, as well as information about services and marketing content. The only personal data processed for sending newsletters is email addresses.
The sending of newsletters and the associated processing of personal data is based on consent, as outlined in the Marketing Act § 15 and GDPR Article 6(1)(a), cf. Article 4(11) and Article 7. Additionally, we have a legitimate interest in keeping our customers and stakeholders informed with news and updates from our website.
Recipients can unsubscribe from the newsletter at any time via a link included in each email or through the company’s website.
3. Processing Based on Consent
If personal data is processed based on your consent, you have the right to withdraw your consent at any time. This will not affect the lawfulness of any processing carried out before the withdrawal. If you wish to withdraw your consent, please contact us.
Please note that even if you withdraw your consent, we may still process some or all of the data if another legal basis for processing applies.
4. Storage and Retention (Deletion)
We retain personal data for as long as necessary to fulfill the purpose for which it was collected and delete it in accordance with regulatory requirements. The retention period varies depending on how the data was obtained and the purpose for which it was collected. Specific deletion timelines are outlined above in the descriptions of individual processing activities or determined based on the following criteria:
Whether there is a legal or contractual obligation to retain the data, such as potential claims against us. For example, the limitation period for certain claims, including damages, can be up to 20 years under the Limitation Act § 9.
Whether the information is necessary for our business operations.
For data processed based on consent, whether consent has been withdrawn.
Due to the nature of our services, there is often a need to retain information related to client assistance for an extended period after the conclusion of the assistance. More details about this are provided above in the section on the processing of personal data in client assistance.
When we no longer have a legitimate need to process personal data, it is deleted or anonymized as soon as possible in accordance with applicable laws. In some cases, instead of deletion, anonymization may be appropriate. Anonymization involves removing all identifying or potentially identifying characteristics from datasets while preserving the data in a non-identifiable form.
For example:
Personal data processed based on your consent is deleted if you withdraw your consent.
Personal data processed to fulfil an agreement is deleted once the agreement is fulfilled, and all obligations arising from the contractual relationship are satisfied, such as legal requirements related to accounting or handling complaints.
Personal data processed to comply with legal obligations is deleted as soon as we are no longer required to retain it.
5. Transfer or Disclosure to Others
We do not share personal data with others except as outlined in this statement or when there is a legal basis to do so. Such a basis may include an agreement with or consent from the data subject, or a legal obligation requiring disclosure. Examples include public functions such as tax collection (when necessary), accountants or auditors, and other essential business relationships, such as banking partners.
We engage data processors to collect, store, or process personal data on our behalf, such as IT service and system providers. In these cases, we have established agreements to ensure your rights, and the security of your personal data are protected throughout all stages of processing. These suppliers act in compliance with data processing agreements and under our instructions. They are only authorized to use personal data for the purposes we have defined, as detailed in this privacy notice.
If required by law or if there is suspicion of a crime associated with the use of our services, personal data we have stored may be disclosed to public authorities.
In the event of a merger, financing, reorganization, or dissolution involving all or part of our business, personal data may be transferred to another organization. Such transfers will only occur if an agreement is in place ensuring that the collection, use, and sharing of personal data are restricted to purposes related to the transaction. This includes provisions governing whether the transaction proceeds, with personal data used solely for facilitating and completing the transaction.
If another company acquires us, our business, or our assets, that company will gain access to the personal data we have collected and will assume the rights and obligations related to your personal data as described in this privacy notice.
6. Transfer to Recipients Outside the EEA
All personal data processing occurs within the EU/EEA, in countries approved by the EU Commission, or in compliance with a valid legal basis for the transfer of personal data under GDPR Chapter V. Transfers to EU Commission-approved countries are conducted only after implementing the safeguards outlined in GDPR Article 46(2). If you would like information about the specific basis used for any transfer, please feel free to contact us.
7. Links to Third Parties/Other Websites
Our website may contain links to other websites, third-party providers offering products or services, or external resources beyond our control. These links are provided solely to give users access to additional information.
Websites not under our domain—specifically, those not associated with addresses such as wintherlaw.no/se/dk/eu/com—operate as independent data controllers and may have their own privacy policies. We are not responsible for the content or activities of these external websites.
8. Confidentiality and Security
In legal practice, safeguarding information, including personal data, is of paramount importance. We implement all necessary technical and organizational measures to ensure the security of information. Additionally, lawyers are bound by strict confidentiality obligations under the Norwegian Criminal Code § 211, and all information, including personal data, is handled with the utmost confidentiality.
We manage information to ensure its accuracy, availability, and proper handling based on its sensitivity. Various security technologies and procedures are employed to protect personal data from unauthorized access, use, or disclosure. Information systems security is maintained in compliance with GDPR Article 6(1)(c), which requires us to fulfil our legal obligations to secure information under GDPR Article 32. This security is also supported by our legitimate interest in protecting client information, as outlined in GDPR Article 6(1)(f).
We have established data processing agreements with all suppliers who process personal data on our behalf. These agreements require suppliers to uphold the same level of security standards that we apply to our own processing of personal data.
Access to personal data is restricted to authorized personnel or third parties who process the data on our behalf. These individuals or entities are bound by confidentiality obligations.
We have established procedures for managing information security breaches, including personal data breaches. If a breach occurs that poses a risk to the privacy of affected individuals, we will notify the Data Protection Authority (Norw.: Datatilsynet) as soon as possible and no later than 72 hours after discovering the breach. If the breach poses a significant risk to the privacy of those affected, we will also notify the impacted individuals directly.
9. Your Rights
Below is a summary of your rights regarding the processing of your personal data. To exercise these rights, please contact us using the information provided above or through any other method specified.
We will respond to your request as quickly as possible, and no later than within one month. If additional time is required, we will inform you of the delay.
To protect your privacy and ensure your data is secure, we may ask you to verify your identity or provide additional information before processing your request. This ensures that access to your personal data is granted only to you and not to anyone impersonating you.
9.1 Information
You have the right to know what personal data we process about you. This statement provides an overview of our data processing practices, but you are welcome to contact us if you would like more detailed information.
9.2 Access
You have the right to request access to the personal data we process about you. If you wish to exercise this right, please contact us.
Upon request, you will also receive a copy of the personal data we hold about you. To streamline the process, we may ask you to specify which information you would like a copy of. For security reasons, we may require you to verify your identity to ensure personal data is not disclosed to unauthorized individuals.
Unless otherwise requested, your information will be provided in digital format. If you prefer to receive it in a different format, please let us know.
9.3 Rectification and Erasure
You have the right to request that we correct any inaccurate information we hold about you or ask us to delete your personal data. While we will do our best to accommodate requests for deletion, there may be instances where we are unable to delete the data if it is still required for legitimate purposes.
9.4 Processing Based on Consent
If we process your personal data based on your consent, you have the right to withdraw your consent at any time. The simplest way to do so is by using the method provided when you gave your consent or by contacting us directly.
9.5 Right to Restrict or Object to Processing
You have the right to request restrictions on our processing of your personal data in certain circumstances, provided the conditions are met. If processing is restricted, your personal data will only be stored. For more details, see GDPR Article 21.
If our processing is based on legitimate interests, you also have the right to object to such processing. Should you object, we will stop the processing unless we can demonstrate compelling legitimate grounds to continue.
9.6 Right to Data Portability
No processing occurs in our business that provides the right to data portability. This means we do not process information that is both provided by you and necessary for the performance of an agreement with us, and which is processed automatically (i.e., not manually). Therefore, there is no data that can be requested for disclosure or transfer to another provider in a structured, commonly used, and machine-readable format.
9.7 Automated Processing, Including Profiling
No automated processing, including profiling, will be carried out using your personal data if it produces legal effects or similarly significant impacts on individuals. For more details, see GDPR Article 22(1) and (4).
9.8 Right to be Notified
If a personal data breach occurs—meaning a security breach involving personal data that poses a high risk to your privacy—we will notify you without undue delay.
10. Complaints
If you believe that our processing of personal data does not align with the practices described here or violates privacy legislation, you have the right to file a complaint with the Data Protection Authority. However, we encourage you to contact us first so we can address and resolve any issues promptly.
For more information about your rights and how to contact the Data Protection Authority, please visit their website: www.datatilsynet.no.
11. Changes
If there are changes to how we process personal data or to regulations governing personal data processing, this may result in updates to the information provided here. If the changes are significant and directly impact your privacy, we may contact you, provided we have your contact information. Otherwise, you can always find the latest version of this privacy notice on our website.