Privacy policy for Plesner Advokatpartnerselskab

This policy describes how we, Plesner Advokatpartnerselskab ("we" or "us"), process personal data we have collected. This policy also includes information about your rights in relation to our processing of personal data.

1 Data controller

Plesner acts as the data controller in a number of situations. The legal entity responsible for the processing of your personal data is:

Plesner Advokatpartnerselskab
Company Registration (CVR) No: 38 47 79 35
Amerika Plads 37
DK-2100 Copenhagen Ø, Denmark
compliance@plesner.com
Tel: +45 33 12 11 33

2 Description of processing

We only process personal data where processing is necessary for legitimate purposes. Our processing does not include automated decision-making, including profiling, based on your personal data.

In the following we describe the purposes for which we process your personal data as well as the legal basis for doing so under the General Data Protection Regulation (GDPR") and/or the Danish Data Protection Act ("DPA"). If we need to process personal data for any other purpose than originally intended, we will inform you about this prior to any such further processing.

2.1 Our provision of services
In connection with the provision of services to our clients we always create a case file in our document management system. If one or several partners are involved in the matter, they will be named as contacts in our system. If you are associated with our client or if you are a party to the matter, we will process a number of your personal data. We use the personal data to communicate with you, to review the matter and to make any registrations in authorities' electronic service systems.

We process basic personal data about you, including contact details such as name, title or position, email address, telephone number, address and your place of employment. If we have to make registrations in public authorities' databases (virk.dk, tinglysning.dk or minretsag.dk) we may have to process some of your basic personal data, including your civil registration number, in order to be able to identify you.

In connection with insurance matters concerning individuals, we may sometimes process sensitive personal data about you, for example health data. Sometimes we may also need to process data about criminal offences. The same applies when we are conducting a legal inquiry.

Personal data are provided by our client, by you or by a third person associated with the party you are representing. Sometimes, for example in relation to insurance matters, legal inquiries etc, personal data may be provided by other parties involved in the matter. 

We process your personal data in order to perform a contract (GDPR Article 6(1)(b)) with our clients as private individuals, as it is necessary for performing the agreement with you on the provision of legal services. For persons who are associated with our clients or are parties to a matter we are reviewing, the basis for processing is the legitimate interests rule (GDPR Article 6(1)(f)), where the legitimate interest is to exercise or defend our client's legal claim. If sensitive personal data are involved, the basis for processing is that we are to exercise or defend a legal claim (GDPR Article 9(2)(f)). 

Civil registration numbers of clients who are natural persons are processed for the purpose of exercising or defending a legal claim (DPA section 11(2)(4)). Data about criminal offences may be processed if necessary for the safeguarding of a legal interest and this interest clearly overrides the interests of the data subject (DPA section 8(3)).

If official registrations have to be made, we may share your personal data with certain public authorities through such authorities' data registration portals, i.e. the Danish Business Authority (virk.dk), the Danish Registration Court (tinglysning.dk) and the Courts of Denmark (minretsag.dk).

We store your personal data for as long as it is necessary for the purpose(s) for which they were collected. As a general rule, data will be stored for 15 years following the conclusion of a matter but in special cases such periods may be shorter or longer in order to comply with legal requirements for deletion or storage of data.

2.2 Specifically in matters relating to bankruptcy, debt restructuring, restructuring and liquidation ("estate matters")
In connection with the performance of our obligations as attorneys when we are appointed trustees, liquidators or restructuring administrators in bankruptcies, liquidations or restructurings, we will process data about the owners of the estate in bankruptcy, members of the board of directors, members of management, employees, customers, suppliers  etc. We may sometimes be appointed by the Bankruptcy Court to handle debt restructuring matters which means that we will be processing personal data for the purpose of assisting the Bankruptcy Court with the debt restructuring. 

When we become trustees, we will process basic personal data, including name, title or position, private and work contact details, email, address and telephone number. In connection with the processing we may also process data concerning your employment, including your employment contract, working hours and data about salary, taxes and financial affairs. We also process the civil registration numbers of debtors, employees and members of management. In most cases we may also have to process sensitive personal data such as trade union membership, health data etc. In some situations we may also need to process data about criminal offences.

Such data is primarily provided by you or by your employer. The data may also be provided by a public authority. 

We process your personal data in order to comply with the legal obligations we accept when we assist the Bankruptcy Court and are appointed either a trustee or a restructuring administrator (GDPR Article 6(1)(c)). Our processing may also be carried out on the basis of the legitimate interests rule (GDPR Article 6(1)(f)) The legitimate interest we pursue is our practice of law. 

The legal basis for our processing of civil registration numbers follows from the relevant legislation (DPA section 11(2)(1)). When we disclose your civil registration number, we do so to be able to identify you and to exercise or defend a legal claim (DPA section 11(2)(4), see section 7(1)).

We process your sensitive personal data because it is necessary for the establishment, exercise or defence of legal claims (GDPR Article 9(2)(f)). We process your personal data in order to comply with the legal obligations we undertake when we assist the Bankruptcy Court and are appointed either trustees or restructuring administrators (GDPR Article 9(2)(g)). Data about criminal offences may be processed if it is necessary for the purpose of safeguarding a legitimate interest and this interest clearly overrides the interests of the data subject (DPA section 8(3)). In addition to this, data about criminal offences may be processed for the purpose of establishing, exercising or defending a legal claim (DPA section 8(5), see DPA section 7(1)).

As a general rule, we do not disclose your personal data to third parties. If an authority, for example the Bankruptcy Court, the Danish Debt Collection Agency, the Danish Tax Agency, the police etc, takes an interest in the matter, we are obliged under the Danish Bankruptcy Act and the Danish Companies Act to disclose the data to the authorities in question. The transfer may also be made as part of the review of the matter, for example to external legal advisors assisting in the matter, co-trustees etc. 

We store your personal data for as long as it is necessary for the purpose(s) for which such data are being processed. As a general rule, data are stored for 15 years following the conclusion of a matter but in special cases such periods may be shorter or longer in order to comply with legal requirements for deletion or storage of data.

2.3 Administration of whistleblower schemes
When reporting is made to a whistleblower scheme which we administer on behalf of a client, we process a number of personal data. We process personal data about persons reporting infringements, if such persons are identifiable, and about persons named in connection with such reporting. Processing includes administration of the whistleblower scheme for our client, including receipt of reporting, confirmation of receipt of reporting, and handling of reporting.

Additional information about our processing of your personal data is available from your employer or from the party making the whistleblower scheme available to you. 

2.4 Implementation of an anti-money laundering procedure and opening of client accounts with banks
Under the Danish Act on Measures to Prevent Money Laundering and Financing of Terrorism (the "Anti-Money Laundering Act"), we must register the client's beneficial owners unequivocally in matters concerning the transaction of values. This also applies when we are to open a client account with a bank on behalf of a client. Consequently, if you or your undertaking is a client with us, you may be asked to provide documentation proving who you are or to assist in identifying your employer's beneficial owners.

In order to be able to carry out and complete anti-money laundering control, we need some basic personal data, including name, address, place of birth and nationality. Such data must be confirmed by presentation of a scanned copy of a driving license or a passport. When the beneficial owners are not Danish or do not have permanent residence in Denmark, additional data may be required.

Such data will always be provided by the persons concerned.

We process these personal data in compliance with legal obligations (GDPR Article 6(1)(c)). The legal obligation is laid down in section 10(1) of the Anti-Money Laundering Act. Data concerning civil registration numbers are processed in compliance with the legislation (DPA section 11(2)(1).  

When it is necessary to open a client account, we share the personal data collected with the bank in question, which is subject to the same legislation as we are in this situation.

If a public authority, for example the Danish Financial Supervisory Authority or the Danish Public Prosecutor for Serious Economic and International Crime, takes an interest in certain transactions, we are obliged under the Anti-Money Laundering Act to disclose such data to the authorities in question.

Personal data collected for the purpose of complying with the requirements of the Anti-Money Laundering Act are stored for a minimum of five years after termination of a business relationship. Under certain circumstances such periods may be shorter or longer, including for the purpose of complying with legal requirements for deletion and storage.

We are obliged to ensure that the data we collect are still relevant to the transaction and are updated regularly. In such cases, we may contact you at intervals of not more than 36 months for the purpose of updating data.

2.5 Courses and seminars
When you attend one of our courses or seminars, we use your personal data to keep in touch with you before, during and after the event in question. This also applies when you are employed with one of our clients and you have registered for a course or a seminar.

For the purposes of a course or a seminar we only process basic personal data, including name, title or position, email address, telephone number and your place of employment.

The personal data we process are provided by you or by your employer, if your employer registered you for a course or a seminar.

We process your personal data because it is necessary for the performance of a contract, if you are a party to the contract yourself, as the data are necessary for performing a contract to which you are a party (GDPR Article 6(1)(b)). The personal data may also be processed based on the legitimate interests rule (GDPR Article 6(1)(f)) where the legitimate interest is to administer seminars and send out evaluation forms etc.

We store your personal data as long it is necessary for the purposes of the course or seminar in question and for the evaluation of such course or seminar. A course may be part of a pre-defined series of other courses or networking events. In such cases, we store your personal data until the entire series of courses or networking events has been completed and evaluated. If you are employed by one of our clients, we store your data for as long as we have a business relationship with the client in question. In case of an event that is subject to an attendance fee, we store invoicing data during the relevant financial year plus five years, as laid down in the Danish Bookkeeping Act.

2.6 Marketing
We use your personal data for marketing purposes, including for the purpose of being able to target communication specifically at you. Targeted communication includes newsletters, including Plesner Insight. In addition to this, Plesner may process personal data about you in connection with our interaction (for example likes, follows, shares etc) on various social media, including LinkedIn, Facebook and Instagram. In a few cases you may be included directly in our news items on social media (for example in the form of photos, by name etc). In such situations we will always seek to obtain consent.

In order to build up and cultivate strong relationships with existing and potential clients, we process data about you in our CRM-system.

For this purpose, we process basic personal data, including name, title or position, email address, telephone number and your place of employment. We also register whether you wish to communicate with us in Danish or in English.

The personal data are provided by you or procured from publicly available sources, for example your LinkedIn profile, Facebook or Instagram. When you use our website we will collect information when you register for our newsletter. 

The legal basis for our processing of the data is the legitimate interests rule (Article 6(1)(f)). The legitimate interests we pursue are our marketing interest and our interest in targeting the material we send to you. The legitimate interests we pursue when processing data in our CRM-system are to be able to attend to our daily customer management and customer relations as well as accounting and financial tasks. If you are included directly in our news items on social media, our legal basis for the processing of the data is based on consent (GDPR Article 6(1)(a)). 

If you have registered for one or several of our newsletters, we store your personal data for as long as you wish to receive information from us plus two years. If we have collected publicly accessible information about you for the purpose of carrying out marketing activities, we store data about you for as long as the relevant activity is ongoing plus two years. 

As a general rule, personal data are stored on our social media accounts for one year. However, in order to comply with legal requirements for deletion or storage, such periods may be shorter or longer. 

We store your personal data in our CRM-system for as long as it is necessary for the purpose(s) for which they are being processed. As a general rule, data are stored for 5 years following the termination of the business relationship but under special circumstances such periods may be shorter or longer for the purpose of complying with legal requirements for the deletion or storage of data. 

2.7 Administration of foundations and associations
We provide secretariat services to a number of foundations and associations. We maintain and update lists of members, send out invitations and organise meetings, collect membership fees and deal with applications for grants. 

In order to be able perform secretariat work, we process basic personal data in the form of names, titles or positions, email addresses and places of employment of members of associations. We also process the personal identification numbers and account numbers of members holding salaried positions in either a foundation or an association. If you have applied for a grant we process basic personal data about you, including name, title or position, email address and place of employment. If you are to receive funds from a foundation, we also process your personal identification number and your account number. 

We will obtain the data we process from you. 

We process your personal data in connection with applications for grants on the basis of the legitimate interests rule (GDPR Article 6(1)(f)). The legitimate interest pursued is the evaluation of the applications for grants received and the administration of the disbursement of such grants. The legal basis for our processing of personal identification numbers is the relevant legislation governing the area (the Danish Data Protection Act, section 11(2)(i)). 

We process your personal data in connection with the provision of other secretariat assistance to foundations and associations based on the legitimate interests rule (Article 6(1)(f)). The legitimate interest pursued is our provision of secretariat assistance to a foundation or an association. The legal basis for our processing of personal identification numbers is the relevant legislation governing the area (the Danish Data Protection Act, section 11(2)(i)). 

We do not disclose your personal data to third parties. The secretariat of a foundation may, however, be transferred to another administrator, typically another law firm. In such a situation your personal data will be transferred with the secretariat to the new administrator. 

We keep your personal data as long as necessary. In relation to an association it means that such a term will correspond to the term of your membership of the association in question. We will keep the personal data relating to applicants for grants and members having salaried positions with foundations and associations for at least five years from expiry of the financial year in order to comply with the legal obligations arising from the Danish Bookkeeping Act and the requirements for reporting to the Danish Tax Agency. 

2.8 Suppliers and partners
In order to perform contract management and receive goods and services from our suppliers and partners, we process a number of personal data about our suppliers, partners and any contact persons.

We process a number of basic personal data, including name, address, email address and telephone, as well as bank details for suppliers and partners. We also process basic personal data related to contact persons with the supplier or the partner in the form of name, title or position, email address and telephone number.

The personal data we process are provided by you or by your employer, if your employer first contacted us in connection with the contract. 

The legal basis for processing of personal data is the performance of a contract with our partners (GDPR Article 6(1)(b)). In a few cases we process personal data based on the rule of legitimate interests (GDPR Article 6(1)(f)) where the legitimate interest is communication with suppliers and partners and to make sure that we will be able to offer professional services to our clients.

We store your personal data for as long as it is necessary for the purpose(s) for which such data are being processed. As a general rule, data are stored for 5 years following the termination of a business relationship but under special circumstances such periods may be shorter or longer for the purpose of complying with legal requirements for the deletion or storage of data.

2.9 Visitors to Plesner's premises, including closed circuit television surveillance
We process data about visitors to our premises. We carry out video surveillance of select areas. In that connection we may process basic personal data, including name, title or position, telephone number, email address, which client the person is representing, and the name of the person at Plesner you are visiting.

The processing of personal data is carried out based on the legitimate interests rule (GDPR Article 6(1)(f)). The legitimate interests we pursue are to secure our physical area, maintain security measures and prevent and detect crimes. In special cases personal data about criminal offences may be processed; such information are processed if it is necessary for the purpose of safeguarding a legitimate interest and this interest overrides the interests of the data subject (DPA section 8(3)).

We do not store data about visitors (guests) to our premises. However, we store registrations and video recordings if there is any basis for doing so. Video recordings are stored on a local server on our premises, and will as a general rule be deleted automatically after 30 days unless an event has been identified which justifies storing the material for a longer period. If you are included as an addressee on an electronic invitation for a meeting or an event at Plesner, the data will be stored for up to 15 months. 

2.10 Administration of data regarding employees' next of kin
In connection with our work relating to personnel administration, we process personal data about the next of kin of employees and former employees. We only process basic personal data, including name, email address and telephone of any next of kin.

The data we process have been provided by our employees or by former employees. 

The processing of personal data is carried out based on the legitimate interests rule (GDPR Article 6(1)(f)). The legitimate interest we pursue is to be able to contact employees' next of kin, if necessary.

We store your personal data for as long as it is necessary for the purposes for which they are being processed. As a general rule, data will be stored for 6 years after the effective date of termination relating to an employee, unless there are special reasons for storing such data for a longer period.

3 Recipients

We treat the data as confidential and as a general rule we do not disclose your data. However, data may be disclosed to external suppliers, including data processors, who are assisting Plesner in its operations.

Under certain circumstances, your data will be disclosed to external third parties such as specific clients, adversaries, authorities and/or courts.

We will in particular in cases described in clauses 3.2 and 3.3, depending on the specific circumstances, disclose personal data to third parties where it is necessary in order to comply with legal obligations, and/or if it is done as part of a case review. Such data may be disclosed to the Bankruptcy Court, the Tax Administration, the police, other law firms or accountants.

4 Third countries

In a few cases it may be necessary to transfer personal data to countries outside the EU/EEA, including to a specific client, adversary, court etc. If so, such data will be transferred in accordance with GDPR Article 49(1)(e), under which transfer may take place if it is necessary for the establishment, exercise or defence of legal claims. 

When personal data are transferred in other situations, including to our partners or suppliers, the personal data are processed by our data processors, and accordingly processing is carried out in accordance with our instructions. Processing will as a general rule be carried out with the European Commission's standard contractual clauses as our transfer basis.

5 Your rights

You have the following rights regarding your personal data:

  • Right of access. You have the right to request access to your personal data and to request information about the processing we carry out.
  • Right to rectification. You have the right to have inaccurate personal data rectified and to have incomplete personal data completed.
  • Right to be forgotten. You have the right to request erasure of your personal data.
  • Right to restriction of processing. You also have the right to obtain restricted processing of your personal data to the effect that such personal data may not be processed other than merely by being stored.
  • Right to data portability. Finally, you have the right to receive the personal data which you have provided yourself to a controller, in a structured, commonly used and machine-readable format for personal use, and the right to transmit those data to another controller.
  • Right to object. You have the  right to object at any time to lawful processing of your personal data, for example for direct marketing purposes.

Conditions or restrictions may apply to these rights; it depends on the specific circumstances relating to the processing activities.

If you wish to exercise your rights or if you have any questions regarding our processing of personal data, please contact Plesner at compliance@plesner.com or call +45 3312 1133.

6 Withdrawal of consent

Where our processing of your personal data is based on consent, you may withdraw such consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent carried out before the withdrawal. Withdrawal of consent does not become effective until you submit information about such withdrawal.

If you wish to exercise your right to withdraw your consent or if you have any questions regarding our processing of personal data, please contact Plesner at compliance@plesner.com or call +45 3312 1133.

7 Amendments

We reserve the right to amend this Privacy Policy as a consequence of amendments to legislation or adjustment of our procedures.

8 Filing a complaint with the danish data protection agency

You have the right to file a complaint with the Danish Data Protection Agency.

9 Contact information

Plesner Advokatpartnerselskab
Company Registration (CVR) No: 38 47 79 35
Amerika Plads 37
DK-2100 Copenhagen Ø, Denmark
Email: Compliance@plesner.com 
Tel: +45 3312 1133
 

Last updated: 12 September 2023