PRIVACY NOTICE
This privacy policy describes how Sky Law Advokatfirma (“Sky Law”, "we" or "us"), process personal data we have collected. This policy also includes information about your rights in relation to our processing of personal data.
Data controller
Sky Law is typically acting as data controller and as such we are responsible for the processing of your personal data. This is the case, for example, where personal data are processed in our day-to-day business activities, legal work and advisory services to our clients. Only in the context of very specific services, like the administration of whistleblower schemes, or if we use specific IT tools to prepare or store documents on our clients’ behalf (as in contract management services, for example) are we required to conclude a data processing agreement with our clients, who will then be the controller of those data. Where we are acting as data controller the legal entity responsible for the processing is:
Sky Law Advokatfirma
Aarhusgade 118, DK-2150 Nordhavn, Copenhagen. Denmark.
Company registration number (CVR): 43915789
+45 4030 9749
niels@skylaw.dk
2. Our processing activities
In the following, you will find a description of our processing activities and the legal basis for performing each processing activity under the General Data Protection Regulation (GDPR) as well as the Danish Data Protection Act (in Danish “databeskyttelsesloven”) (DBL). We only process personal data where this is required in order for us to pursue our legitimate purposes as outlined below. Except under very extraordinary circumstances, we do not process personal data about children. Our processing activities do not include automated decision-making, including profiling.
2.1 When we provide our services to our clients
In connection with the provision of services to our clients we open a case file in our document management system. If you are associated with our client or if you are a party to the matter, we will process a number of your personal data. We use the personal data as an unavoidable part of performing our business activities, typically in order to communicate with you, to review the matter and to make any registrations in authorities' electronic service systems.
We process basic personal data about you, including contact details such as name, title or position, email address, telephone number, address and your place of employment. If we have to make registrations in public authorities' databases (virk.dk, tinglysning.dk or minretsag.dk) we may have to process some of your basic personal data, including your civil registration number (CPR-number or other personal ID number), in order to be able to identify you.
In connection with insurance matters concerning individuals, we may sometimes process sensitive personal data about you, for example health data. Sometimes we may also need to process data about criminal offences. The same applies when we are conducting a legal inquiry.
Personal data are provided by our client, by you or by a third person associated with the party you are representing. Sometimes, for example in relation to insurance matters, legal inquiries etc, personal data may be provided by other parties involved in the matter.
We process your personal data in order to perform a contract (GDPR article 6(1)(b)) with our clients as private individuals, as it is necessary for performing the agreement with you on the provision of legal services. For persons who are associated with our clients or are parties to a matter we are reviewing, the basis for processing is the legitimate interests rule (GDPR article 6(1)(f)), where the legitimate interest is to exercise or defend our client's legal claim. If sensitive personal data are involved, the basis for processing is that we are to exercise or defend a legal claim (GDPR article 9(2)(f)).
Civil registration numbers of clients who are natural persons are processed for the purpose of exercising or defending a legal claim (DBL section 11(2)(3) or DBL section 11(2)(4)). Data about criminal offences may be processed if necessary for the safeguarding of a legal interest and this interest clearly overrides the interests of the data subject (DBL section 8(3)).
If official registrations have to be made, we may share your personal data with certain public authorities through such authorities' data registration portals, i.e. the Danish Business Authority (virk.dk), the Danish Registration Court (tinglysning.dk) and the Courts of Denmark (minretsag.dk).
We store your personal data for as long as it is necessary for the purpose(s) for which they were collected. As a general rule, data will be stored for 10 years following the conclusion of a matter but in special cases such periods may be shorter or longer in order to comply with legal requirements for deletion or storage of data.
2.2 Marketing
We may use your personal data for marketing purposes, including for the purpose of being able to target communication specifically at you. Targeted communication includes. Furthermore, we may process personal data about you in connection with our interaction (for example likes, follows, shares etc) on various social media, including LinkedIn and Instagram. In a few cases you may be included directly in our news items on social media (for example in the form of photos, by name etc). In such situations we will always seek to obtain consent.
In order to build up and cultivate strong relationships with existing and potential clients, we may process data about you in a CRM-system. For this purpose, we process basic personal data, including name, title or position, email address, telephone number and your place of employment. We also register whether you wish to communicate with us in Danish or in English.
The personal data are provided by you or procured from publicly available sources, for example your LinkedIn profile or Instagram. When you use our website we will collect information when you register for our newsletter.
The legal basis for our processing of the data is the legitimate interests rule (GDPR article 6(1)(f)). The legitimate interests we pursue are our marketing interest and our interest in targeting the material we send to you. The legitimate interests we pursue when processing data in a CRM-system are to be able to attend to our daily client management and client relations as well as accounting and financial tasks. If you are included directly in our news items on social media, our legal basis for the processing of the data is based on consent (GDPR article 6(1)(a)).
If you have registered for our newsletter, we store your personal data for as long as you wish to receive information from us plus two years. If we have collected publicly accessible information about you for the purpose of carrying out marketing activities, we store data about you for as long as the relevant activity is ongoing plus two years.
We store your personal data in a CRM-system for as long as it is necessary for the purpose(s) for which they are being processed. As a general rule, data are stored for 5 years following the termination of the business relationship but under special circumstances such periods may be shorter or longer for the purpose of complying with legal requirements for the deletion or storage of data.
2.3 AML procedures
Under the Danish Act on Measures to Prevent Money Laundering and Financing of Terrorism (the "Anti-Money Laundering Act"), we must register the client's beneficial owners unequivocally in matters concerning the transaction of values. This also applies when we are to open a client account with a bank on behalf of a client. Consequently, if you or your undertaking is a client with us, you may be asked to provide documentation proving who you are or to assist in identifying your employer's beneficial owners.
In order to carry out and complete the anti-money laundering checks, we require some basic personal information, including name, address, place of birth and nationality. These details must be confirmed by presenting a scanned copy of a driving licence or passport. If the beneficial owners are not Danish or do not have a permanent residence in Denmark, additional information may be required. Such information will always be provided by the persons concerned..
We process these personal data in compliance with legal obligations (GDPR article 6(1)(c)). The legal obligation is laid down in section 10(1) of the Anti-Money Laundering Act. Data concerning civil registration numbers (CPR) are processed in compliance with the legislation (DBL section 11(2)(1).
When it is necessary to open a client account, we share the personal data collected with the bank in question, which is subject to the same legislation as we are in this situation.
If a public authority, for example the Danish Financial Supervisory Authority or the Danish Public Prosecutor for Serious Economic and International Crime, takes an interest in certain transactions, we are obliged under the Anti-Money Laundering Act to disclose such data to the authorities in question.
Personal data collected for the purpose of complying with the requirements of the Anti-Money Laundering Act are stored for a minimum of five years after termination of a business relationship. Under certain circumstances such periods may be shorter or longer, including for the purpose of complying with legal requirements for deletion and storage.
We are obliged to ensure that the data we collect are still relevant to the transaction and are updated regularly. In such cases, we may contact you at intervals of not more than 36 months for the purpose of updating data.
2.4 Events
When you attend one of our events, we use your personal data to keep in touch with you before, during and after the event in question. This also applies when you are employed with one of our customers and you have registered for a course or a seminar.
For the purposes of an event we only process basic personal data, including name, title or position, email address, telephone number and your place of employment.
The personal data we process are provided by you or by your employer, if your employer registered you for an event course or a seminar.
We process your personal data because it is necessary for the performance of a contract, if you are a party to the contract yourself, as the data are necessary for performing a contract to which you are a party (GDPR Article 6(1)(b)). The personal data may also be processed based on the legitimate interests rule (GDPR Article 6(1)(f)) where the legitimate interest is to administer seminars and send out evaluation forms etc. We store your personal data as long it is necessary for the purposes of the event in question and for the evaluation of such event. An event may be part of a pre-defined series of other courses or networking events. In such cases, we store your personal data until the entire series of courses or networking events has been completed and evaluated. If you are employed by one of our clients, we store your data for as long as we have a business relationship with the client in question. In case of an event that is subject to an attendance fee, we store invoicing data during the relevant financial year plus five years, as laid down in the Danish Bookkeeping Act.
2.5 Suppliers
In order to perform our services and receive goods and services from our suppliers and partners, we process a number of personal data about our suppliers, partners and any contact persons.
We process a number of basic personal data, including name, address, email address and telephone, as well as bank details for suppliers and partners. We also process basic personal data related to contact persons with the supplier or the partner in the form of name, title or position, email address and telephone number.
The personal data we process are provided by you or by your employer, if your employer first contacted us in connection with the contract.
The legal basis for processing of personal data is the performance of a contract with our partners (GDPR article 6(1)(b)). In a few cases we process personal data based on the rule of legitimate interests (GDPR article 6(1)(f)) where the legitimate interest is communication with suppliers and partners and to make sure that we will be able to offer professional services to our clients.
We store your personal data for as long as it is necessary for the purpose(s) for which such data are being processed. As a general rule, data are stored for 5 years following the termination of a business relationship but under special circumstances such periods may be shorter or longer for the purpose of complying with legal requirements for the deletion or storage of data.
2.6 Optimisation of your user experience on our website (cookies)
When you visit our website, personal data about your behaviour are collected by use of cookies. Cookies are collected to remember your preferences and for statistics and marketing purposes. In that connection we process some basic personal data, including about your behaviour on the website, and your IP address. The data we process have been provided by you.
The legal basis for processing of personal data is your consent (GDPR Article 6(1)(a) given in connection with your visit to our website, including your accept of cookies. In a few cases we process data on the basis of the rule on a balancing of interests (GDPR article 6(1)(f)) where the legitimate interest is optimisation of our website.
We store your personal data on cookies for as long as it is necessary for the purpose(s) for which the data are being processed. For more information about how the individual cookies are stored, you can read our cookie policy.
2.7 Processing of data on next of kin
In connection with our work relating to HR administration, we may process personal data about the next of kin of employees and former employees. We only process basic personal data, including name, email address and telephone of any next of kin.
The data we process have been provided by our employees or by former employees.
The processing of personal data is carried out based on the legitimate interests rule (GDPR article 6(1)(f)). The legitimate interest we pursue is to be able to contact employees' next of kin, if necessary.
We store your personal data for as long as it is necessary for the purposes for which they are being processed. As a general rule, data will be stored for 6 years after the effective date of termination relating to an employee, unless there are special reasons for storing such data for a longer period.
2.8 Administration of whistleblower schemes (as a data controller)
When reporting is made to a whistleblower scheme which we administer on behalf of a client, we process a number of personal data. We process personal data about persons reporting infringements, if such persons are identifiable, and about persons named in connection with such reporting. Processing includes administration of the whistleblower scheme for our client, including receipt of reporting, confirmation of receipt of reporting, and handling of reporting.
Additional information about our processing of your personal data is available from your employer or from the party making the whistleblower scheme available to you.
3. Data processor
In certain situations, we may be acting as data processor acting on behalf of our clients, this may include situations where we provide administration of a whistleblower scheme and the scheme has been set up in way in which we act as data processor (and not data controller as set out above). It may also include situations where we provide contract management systems or other services.
In the situations where we act as a data processor, our services will be governed by a data processing agreement.
4. Recipients of personal data
We only disclose your personal data to external parties if necessary and if there is a legal basis for doing so. These may be public authorities, courts, private companies or individuals, foundations, associations, etc. depending on the nature of the case.
In addition, we disclose information to our data processors (e.g. IT suppliers).
5. Data transfers
We ay transfer personal data to recipients outside the EU and EEA. These may be suppliers, counterparties, advisors or authorities. They may also be our data processors (e.g. IT suppliers).
If the recipient is located outside the EU or EEA in a country, we will enter into EU standard contractual clauses approved by the European Commission with the recipient before transferring the personal data. The recipient may also be located in a country in which the EU Commission has assessed that an adequate level of protection exists. In addition, we may transfer personal data if the transfer is necessary for the establishment, exercise or defence of legal claims. If you would like an overview of third country transfers and the basis for them, please contact us.
6. Your rights
You have the following rights regarding your personal data:
Right of access. You have the right to request access to your personal data and to request information about the processing we carry out.
Right to rectification. You have the right to have inaccurate personal data rectified and to have incomplete personal data completed.
Right to be forgotten. You have the right to request erasure of your personal data.
Right to restriction of processing. You also have the right to obtain restricted processing of your personal data to the effect that such personal data may not be processed other than merely by being stored.
Right to data portability. Finally, you have the right to receive the personal data which you have provided yourself to a controller, in a structured, commonly used and machine-readable format for personal use, and the right to transmit those data to another controller.
Right to object. You have the right to object at any time to lawful processing of your personal data, for example for direct marketing purposes.
Conditions or restrictions may apply to these rights; it depends on the specific circumstances relating to the processing activities.
If you wish to exercise your rights or if you have any questions regarding our processing of personal data, please contact us using the contact details set out herein.
7. Withdrawal of consent
Where our processing of your personal data is based on consent, you may withdraw such consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent carried out before the withdrawal. Withdrawal of consent does not become effective until you submit information about such withdrawal.
If you wish to exercise your right to withdraw your consent or if you have any questions regarding our processing of personal data, please contact us using the contact details set out herein.
8. Amendments
We reserve the right to amend this policy as a consequence of amendments to legislation or adjustment of our procedures.
9. Complaints
You have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet). You can contact the Danish Data Protection Agency:
E-mail: dt@datatilsynet.dk
Phone: +45 33193200
10. Contact information
Contact information
Sky Law Advokatfirma
Aarhusgade 118, DK-2150 Nordhavn.
Company registration number (CVR): 43915789