INNOVA is a professional law firm providing legal and commercial advice to its clients.
A lawyer must act in accordance with the proper practice of the legal profession, and we are by statute subject to a duty of confidentiality. This also applies when processing personal data, and for INNOVA, protection of our customers’ and cooperation partners’ personal data are a natural and integrated part of our legal profession.
In the following you can read how INNOVA handles personal data, including how we collect, use and protect your personal data.
2. Data controller
INNOVA is a data controller and ensures that your personal data are processed in accordance with applicable data protection law.
Innova Advokatfirma Advokatpartnerselskab
Central Business Reg. No. (CVR) 32 27 85 82
DK-8000 Aarhus C
Contact person: Gitte Lokjær
3. Which information is collected and what is it used for?
In general, we only collect, process and store personal data that are
- necessary to provide a quote for legal services;
- necessary to enter into an agreement on legal services and to provide legal services;
- necessary to enter into an agreement on purchase of associated services or goods from our cooperation partners;
- necessary to improve our products and services.
In addition, it may be laid down in legislation which types of personal data we are to collect, or personal data may be collected in order to satisy or secure a legal position.
Personal data are processed in pursuance of Articles 6, 9, 10 and 87 of the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016). Your data are typically processed because you have entered into or consider entering into an agreement with us, or if we are legally obliged to do so (e.g. pursuant to the Danish Money Laundering Act or the Danish Bookkeeping Act).
Data may be categorized into the following main categories:
- Informed use to provide a quote and/or enter into an agreement. When entering into an agreement, we process the personal data provided to us by you. It typically includes general contact information (e.g. name, address, occupation, civil reg. no. and email address). We process these personal data in order to manage and provide services to you or your business as a client.
- Identification information. When you are registered with us as a client, we collect identity information. This includes, for instance, a copy of your health insurance card, driver’s license or passport. We process this information in order to comply with existing legislation, including the Danish Money Laundering Act.
- Information that is necessary for performing the task. We process any personal data that are necessary for performing the task you have entrusted us with in the best possible way. You have provided us with the information yourself, or we may have obtained it from a third party, including personal data that have been made public. As legal tasks vary considerably, it may include many different types of personal data.
- Sensitive information. We only process sensitive personal data to the extent necessary in order to provide advice to you or if required or allowed by law. If the right or obligation does not follow from the law we will obtain your consent to process sensitive personal data. Such sensitive personal data will typically be health information that is relevant for the processing of your matter.
- Information about criminal acts. In some situations, we will process personal data about criminal acts if we have obtained consent to do so or if necessary in order to safeguard a legitimate interest which clearly exceeds the interest in ensuring that processing does not take place (balancing of interests) or if we are entitled to do so pursuant to legislation. The processing of personal data regarding criminal acts will often take place in connection with criminal proceedings.
Personal data will not be used or disclosed for marketing purposes unless you have given your explicit consent. Your consent is voluntary and you may withdraw it at any time by contacting us.
5. Who has access to personal data?
Our employees have access to use personal data to the extent this is required in order to provide services to you as a client or to comply with existing legislation.
The personal data are only disclosed to external cooperation partners responsible for handling functions that are necessary for us to be able to provide the services agreed. In these situations, the processing of personal data will be based on an instruction from INNOVA and a data processing agreement with the cooperation partner.
We may disclose personal data to the following third parties, among others:
- Our IT suppliers, including providers of hosting services (storage of personal data on our behalf) and IT support.
- External suppliers and cooperation partners necessary in order to comply with the client agreement, including your accountant, bank or other advisor.
- Our own suppliers and cooperation partners, like e.g. our bank, insurance company and accountant etc.
- Public authorities, if this is necessary for the handling of the matter, or if we are instructed to do so, including the Public Prosecutor for Serious Economic Crime pursuant to the Danish Money Laundering Act.
Moreover, we do not disclose personal data to others without your consent, including civil registration numbers, sensitive information or information about criminal acts, unless the purpose is to safeguard our clients’ interests or we are obliged to do so by statute. This includes, for instance, situations where we need your civil registration number etc. to lodge a writ in court or to make a complaint to a public authority on your behalf.
We do not transfer personal data to data processors outside the EU/EEA, unless this is necessary for the processing of your legal matter or you have instructed us to do so. When disclosing personal data to data processors outside the EU/EEA we will ensure, among others by way of data processing agreements, that your information and rights will remain protected and that the level of protection is high.
6. How long are data stored?
The personal data are stored for as long as you are a client with us.
When the client relationship has ended, the personal data will be stored for as long as necessary in order to comply with existing legislation, including the Danish Money Laundering Act, the Danish Bookkeeping Act and existing data protection legislation.
If one or more limitation periods related to your matter is ten years, we will usually store your personal data and the related documents for up to ten years, after which the personal data will be automatically deleted.
The deadline for such deletion may be deviated from if there is a justified reason to do so, including e.g. a pending legal action etc.
7. Your rights
- You have a right to access and rectify the personal data we process about you. Your right of access may, however, be restricted by law, including on basis of lawyers’ comprehensive duty of confidentiality or to protect the privacy of others. Our internal knowhow, opinions and memos etc. are also exempt from the right of access.
- You are entitled to object against the processing of your personal data.
- The right of data portability (provision of data in a commonly used machine-readable format).
- You have a right to obtain the erasure of personal data we have registered about you. If you want to obtain the erasure of your personal data, we will erase all personal data, which we are not instructed to store pursuant to legislation; that are not necessary for us to continue serving you as a client; or which we are still entitled to process.
- If the processing of personal data is based on your consent, you are entitled to withdraw the consent, which means that the processing will terminate unless it has been laid down in legislation that we are to process such personal data. As a result, we may not be able to offer you certain services.
- You are entitled to limit the processing of your personal data, e.g. if you contest the accuracy of the personal data or object to the processing.
You may send your request to the email address specified in section 2. Your request will be processed as soon as possible and no later than one month after we have received it. For complicated requests, the deadline may be extended by two months. If the request is manifestly unfounded or excessive, the request may be refused or a fee may be charged.
In case of questions or objections to our processing of your personal data, please do not hesitate to contact us by email as specified in section 2.
You may also lodge a complaint about our processing of your personal data to your local authority or the Danish Data Protection Agency.
See additional contact information and more about your right to complain here: www.datatilsynet.dk
Version 1 – May 2018