The relevant personal data rules currently applicable for our processing of personal data are laid down in the General Data Protection Regulation (Regulation no. 2016/679 of 27 April 2016) and the Danish Data Protection Act (Act no. 502 of 23 May 2018).
Our data protection policy relates to our processing of personal data as data controller. We are the data controller in a number of situations, such as when we handle client matters, when we engage new employees and in connection with marketing activities.
- Data responsibility
SmithtKrag protects and processes the personal data of our clients, opponents, suppliers, employees, partners and recipients of marketing information, etc., in accordance with the law on processing of personal data as applicable at any time.
- The use of personal data
“Personal data” includes any information relating to an identifiable natural person, such as the person’s name, e-mail address, personal identification number (CPR number) and address, and to factors specific to the physical, physiological, financial, cultural or social identity of that person. Data on legal persons are not included in the definition of “personal data”.
Depending on the nature of the case or inquiry, we process general data, identification data (CPR number), data on criminal offences and sensitive data.
- Where the data comes from
We collect personal data directly from you or from a third party, such as clients, public authorities or partners.
- Processing of personal data
“Processing” of personal data covers any activity involving personal data, such as collection, recording, structuring, organisation, storage, adaptation, alteration, consultation, use or disclosure.
We primarily process personal data about our clients, opponents, suppliers, employees and partners, but only to the extent necessary for the specific purpose and if there is a legal basis for doing so.
In most cases, we need to process general personal data, such as name, title, telephone number and e-mail address. The processing is necessary to enable us to deliver our legal services, submit invoices and perform quality assurance and audit and to comply with the requirements for documentation of identity under the Anti-Money Laundering Act to which we are subject in many matters.
In addition, it may in certain situations be necessary for us to process data on criminal offences and to process sensitive data such as data concerning health.
- Disclosure of personal data
We only disclose your personal data to external parties if necessary and if there is a legal basis for doing so. External parties may be public authorities, private businesses or persons, foundations, associations, etc., depending on the nature of the matter. In addition, we pass on data to our data processors (e.g. IT suppliers).
Internally, only employees with a work-related need to see your personal data will be able to access the data.
- The legal basis for our processing of personal data
We collect and process personal data on the following legal basis:
In connection with supply of legal services, we process data on clients, opponents and business partners under the authority of Article 6(1), point (f) of the General Data Protection Regulation (the legitimate interests rule) and Article 9(2), point (f) of the General Data Protection Regulation. This is based among other things on a legitimate interest in establishing, exercising or defending legal claims and in safeguarding the interests
of our clients. We also process personal data on our clients under the authority of Article 6(1), point (b) of the General Data Protection Regulation where the processing is necessary for concluding and performing the contract on legal assistance.
In general, we process personal data when the processing is necessary for compliance with a legal obligation (e.g. under the Anti-Money Laundering Act). This is authorised under Article 6(1), point (c) of the General Data Protection Regulation. We process data on criminal convictions and offences under the authority of Article 10 of the General Data Protection Regulation and section 8 of the Danish Data Protection Act (databeskyttelsesloven). We process CPR numbers (personal identification numbers) under the authority of section 11(2) of the Danish Data Protection Act.
- Deletion of your data
We will delete your personal data recorded with us when they are no longer necessary for the purpose(s) for which they were collected or processed.
We have internal guidelines for the period of storage of all categories of personal data. The guidelines are determined in accordance with the obligations to which we are subject under applicable law, including documentation and auditing requirements.
- Your rights
You have certain rights under the data protection rules in relation to our processing of data about you.
If you wish to exercise any of those rights, please contact us. You have the following rights:
- Right of access: You are entitled to access the data that we process about you and certain other information.
- Right of rectification: You are entitled to have incorrect data about you corrected.
- Right of erasure: In special circumstances you are entitled to have data about you erased before the time of our generally scheduled erasure.
- Right of restriction of processing: You are in certain circumstances entitled to restriction of processing of your personal data.
- Right to object: You are in certain circumstances entitled to object to our otherwise lawful processing of your personal data.
- Right to data portability: You are in certain circumstances entitled to receive personal data in a structured, commonly used and machine-readable format and to transmit those data to another controller.
- Right to withdraw of consent: Where our processing of your personal data is based on your consent, you are entitled to withdraw your consent at any time. You may do so by contacting us as specified below. If you choose to withdraw your consent, this will not affect the lawfulness of our processing of your personal data on the basis of your previous consent until the time of the withdrawal. If you withdraw your consent, this will only take effect at the time of the withdrawal.
You can read more about your rights in the Danish Data Protection Agency’s guide to the rights of data subjects, available at www.datatilsynet.dk.
You may contact us if you wish to exercise any of your rights as described in paragraph 8 above, if you wish to complain, or if you have any other questions in relation to our personal data policy.
In this connection, please write to your closest contact person with us or as follows:
Advokatfirmaet SmithKrag I/S
Kgs. Nytorv, August Bournonvilles Passage 1
1055 København K
TLF: +45 40 49 27 72
- Complaint to the Danish Data Protection Agency
You may also complain to the Danish Data Protection Agency about our processing of your personal data. See for more information www.datatilsynet.dk.