Org.nr: 981 472 470

Last updated: 18.12.2023


1. Applicability of this privacy policy  

The privacy policy concerns personal data processed by ECIT Law Advokater AS (hereafter referred to as «ECIT Law», «we» or «us»). We are the data controller for the processing of personal data as described in this privacy policy. The policy is intended to inform you as a client/collaborative partner about how we process your personal data, and the purpose of the processing.

ECIT Law offers a variety of legal services, and the term «case» used in this policy must therefore be understood broadly unless otherwise is stated, so that it covers all our undertaken assignments related to our operations, rather it be consultation, document- and contract revision, trials, or other legal counseling.

You will find our contact information on the last page.

2. Who we process data about

This privacy policy applies to our processing of personal data with respect to legal practice.

We process personal about:

  • our clients; including private clients, individuals, and contact persons at corporate clients;
  • personal information about individuals related to a case (including, counterparties, suppliers, collaborative partners) or other individuals involved or affected by a case we assist in
  • other individuals mentioned in case documentation we get access to;
  • data about our employees;
  • data about our partners;
  • visitors to our website;

3. Purpose, types of personal data and legal ground

Below is an overview of the purposes for which we process personal information, the types of personal information we process, and the legal basis for the processing.

Establishing a client relationship and administration of the client relationship: When we are contacted by a client with a request to take on an assignment, we conduct a conflict assessment before potentially accepting the assignment. This conflict assessment is performed based on a legitimate interest and serves a legitimate purpose. . The legal basis for this is GDPR Article 6 (1)(f), cf. also Domstolloven (Courts Act) § 224,  and advokatforskriften (the Attorney Regulations) Chapter 12.

For private clients, this conflict assessment typically involves the processing of the full name, the subject matter of the case, and, if relevant to the case, creditworthiness.

In general, conflict assessments on behalf of corporate clients will not involve the processing of personal information.

In connection with the establishment of a new client relationship, we conduct customer due diligence in accordance with the rules of hvitvaskingsloven (the Anti-Money Laundering Act) and its associated regulations.

Customer due diligence typically involves:

  • Register specific information in accordance with hvitvaskingsloven (the Anti-Money Laundering Act) §§ 12 and 13,  cf. also  §§ 17 and 18.
  • to verify the identity of the client and any beneficial owners (if any).
  • and to obtain information about the purpose and intended nature of the client relationship.

Such customer due diligence is required for us to fulfill our legal obligations in accordance with hvitvaskingsloven (the Anti-Money Laundering Act) §§ 4, 7, 8, 12, 13, 17, 18, and hvitvaskingsforskriften (the Anti-Money Laundering Regulation) § 4, cf.  GDPR Article 6 (1) (c).

If we take on the assignment, the following contact information is registered  for private clients and corporate clients:

  • Full name of contact person(s), representatives, and owners of the client
  • National identification number and D-number (for private clients)
  • Phone number of contact person(s), representatives, and owners of the client
  • Email address of contact person(s), representatives, and owners of the client
  • Postal address of the client

The registration of the abovementioned personal  information for private clients and corporate clients is necessary to demonstrate compliance with a legal obligation to which ECIT LAW is subject, cf. GDPR Article 6 (1) (c).

Case Management: Some legal assignments may provide  us access to personal information about parties or other individuals that are affected by a case. This type of information may emerge from documents submitted by the client or from other correspondence in the case. The processing of personal information with respect to assignments for corporate clients have legal basis in GDPR article 6 (1) (f), a legitimate interest. Processing of personal information with respect to assignments for private clients have legal basis in GDPR article 6 (1) (b), the processing is necessary to fulfill an agreement with whom the registered person is a part of.
Additionally, some cases will provide us access to sensitive information, e.g., health information or criminal convictions and offenses. In those cases, processing of the data is based in GDPR article 9 nr. 2 letter f (processing is necessary to assess, assert or defend a legal claim), cf. The Norwegian Personal Data Act (new in 2018) section 11.

Knowledge Management: When working on an assignment, we often create documents for our clients. Occasionally we chose to transform those documents to templates that can be applied in future cases. The templates and models are anonymous and will not contain any personal data. The legal ground for our processing is our interest in utilizing prepared knowledge in further counseling cf. GDPR article 6 (1) (f)., 

Client Administration: Separate case folders are created for assignments carried out on behalf of the client. Time and costs incurred in a specific case are recorded in our accounting system. An internal overview of cases and tasks for clients may be entered into project tools used for internal purposes. Our procedures related to client administration with respect to corporate clients have legal basis in GDPR article 6 (1) (f), a legitimate interests, while it for private clients is considered a necessary element to fulfill the agreement with the concerned, cf. GDPR article 6 (1) (b).

Storage and Retention of Case Documents: We retain case documents for 10 years after the completion of the assignment unless the client requests a shorter or longer retention period. Once the case is concluded in our case management system, the case documents are transferred to our archival system and securely stored in a locked system. Storage within the specified timeframe (10 years) is considered necessary for both the client's and our own interests, as questions or legal disputes may arise in the future where the archived information for a previous case may become relevant again. The legal basis for processing personal information is GDPR Article 6 (1) (f), a legitimate  interest, and GDPR Article 9 (2) (f) (establishing, exercising, or defending legal claims), cf. personopplysningsloven (the Personal Data Act) (new in 2018) § 11.

Invoicing: Contact information received from corporate clients is used to mark / label invoices sent to the corporate client if the client requests it. For private clients, the client's private postal address is used for invoice delivery, or their email address for electronic invoicing. The legal basis for this is GDPR Article 6 (1) (f), a balancing of interests for corporate clients, and GDPR Article 6 (1) (b) (necessary for the performance of a contract with the data subject) for private clients.

IT Operations and Security: Personal information stored in our IT systems may be accessible to us or our vendors for system updates, implementation or monitoring of security measures, troubleshooting, or other maintenance. The legal basis for this is GDPR Article 6 (1) (f), a balancing of interests considering our legitimate interest associated with the above activities, and our legal obligation to maintain adequate information security levels per GDPR Article 32.

Sending Newsletters, Marketing, and Other Relevant Information: We send newsletters to email addresses registered for clients for whom we continuously provide legal services and to others who have requested or consented to receive our newsletter. Recipients of the newsletter can easily unsubscribe from the service by using a link included in a single communication (or by contacting their respective contact person in the law firm). The legal basis for this is GDPR Article 6 (1) (f) (balancing of interests) where we have received the email address in connection with a legal assignment. Our legitimate interest in using personal information for marketing purposes is to inform about our products and services, as well as updates regarding current laws and changes in legislation that may affect the clients and/or potential clients we address. Our direct marketing services ensure that our clients receive updated information that we consider valuable for the client or potential client.

If there is an existing client relationship, marketing will be conducted in accordance with markedsføringsloven (the Marketing Act) § 15(3). In other contexts, marketing is based on consent from the individual, as per markedsføringsloven  (the Marketing Act) § 15(1) and GDPR Article 6 (1) (a).

4. To whom we share personal data with

Our third-party suppliers, including IT service providers, providers of project and communication tools, and other collaborative partners, may have access to personal information if the data is stored with the supplier or is otherwise accessible to the supplier in accordance with the contract with us.

We process personal information on various platforms and applications in connection with both internal and external processes. The work tools, systems, and collaborative partners we use are as follows:

Project- and communication tool systems and IT operation services:

  • Microsoft Office 365 (Word, Excel, PowerPoint, Teams, Email, Calendar, Outlook, One Drive)
  • G Suite (Gmail, Google Doc, Google Drive, Google Meet, Google Calendar)
  • Slack
  • Workshare compare
  • Adobe
  • ECIT Solutions/Dokumentpartner
  • ECIT Sign
  • Verified
  • Advisor
  • Legal Plant
  • Sparebank 1, Ringerike/Hadeland

Accounting systems and invoicing systems:

  • Advisor
  • Tripletex
  • PowerOffice Go

Accountant, auditor, and other collaborative partners:

  • Wepe Regnskap AS
  • Eyedea AS
  • Deloitte AS
  • ECPay

Marketing tools and systems:

  • LinkedIn
  • Facebook
  • Workplace
  • Instagram
  • Prismic

Advisor is a provider of legal solutions, delivering systems for case management, document handling, knowledge management, timesheets, and invoicing. Read Advisor's privacy policy here: Advisor Personvernerklæring.  

ECIT Solutions/Dokumentpartner is a provider of IT operation services. Read ECIT's privacy policy here: ECIT Personvernerklæring

ECIT Sign is a solution for electronic/digital document signing. ECIT Sign provides signing in the form of 'handwriting' and secure signing with eID. Read ECIT's privacy policy here: ECIT Personvernerklæring

Verified is a solution for electronic signing of documents and web forms, used to conduct ID verification of customers (electronic identification). Read Verified's privacy policy here: Verified Personvernerklæring 

PowerOffice Go is a system for accounting, invoicing, and time tracking / hour registration used by both us and our accountant. Read PowerOffice Go's privacy policy here: PowerOffice Go Personvernerklæring

Tripletex is a provider of legal solutions, delivering systems for case management and document handling. Read Tripletex's privacy policy here: Tripletex Personvernerklæring

Wepe Regnskap is our authorized accountant. Read Wepe Regnskap’s privacy policy here: Wepe Regnskap Personvernerklæring

Sparebank 1, Ringerike/Hadeland er is our business bank. Read Sparebank 1, Ringerike/Hadeland’s privacy policy here: Sparebank 1, Ringerike/Hadeland Personvernerklæring

ECPay is our partner in debt management. They assist in the follow-up of unpaid invoices and debt collection. ECPay Personvernerklæring

Dun & Bradstreet (Bisnode) we use to conduct creditworthiness  checks on new customers as part of the initial procedure when taking on assignments. Read Dun & Bradstreet (Bisnode)'s privacy policy here: Dun & Bradstreet Personvernerklæring

Deloitte is our authorized auditor. Read Deloitte’s privacy policy here: Deloitte Personvernerklæring 

ECIT is an accounting and IT group we occasionally collaborate with at various levels, both concerning existing clients and new clients, where we, among other things, receive incoming assignments via ECIT and collaborate on assignments with ECIT. Read ECIT’s privacy policy here: ECIT Personvernerklæring

G Suite is a collection of cloud-based services and applications for data and mobile that we use for case management, document handling, and knowledge management. Read Google's privacy policy here: G Suite Personvernerklæring

Microsoft Office 365 is a collection of cloud-based services and applications for data and mobile that we use for case management, document handling, and knowledge management. Read Microsoft's privacy policy here:: Microsoft Office 365 Personvernerklæring

Slack is a communication tool system with features such as chat rooms (channels) organized by topic, private groups, and direct messages. We use Slack, among other things, for internal communication regarding assignments we are working on and for sharing documents. Read Slack's privacy policy here: Slack Personvernerklæring

Workshare Compare is a comparison program to track changes made in documents. We use it in connection with the preparation of contracts and similar documents. Read Workshare Compare’s privacy policy here: Litera Workshare Personvernerklæring

Adobe System is a tool we use for document and image processing. Read Adobe’s privacy policy  here: Adobe Personvernerklæring

Norkart is a Norwegian provider of Geographic Information Systems (GIS). We use Norkart to gather property information in connection with and related to assignments we undertake for clients. Read Norkart’s privacy policy here: Norkart Personvernerklæring

Ambita is a Norwegian provider offering ICT services, systems, and products based on property and map information, including data from municipalities, housing cooperatives, power companies, and the Norwegian Mapping Authority. We use Ambita to gather property information in connection with and related to assignments we undertake for clients. Read Ambita’s privacy policy here: Ambita Personvernerklæring

Facebook/Workplace offers well-known features such as profile creation, pages, and groups, services for chat, live video broadcasting, etc. We use these services for both internal and external communication and marketing. Read Facebook’s (including Workplace’s) privacy policy  here: Facebook Personvernerklæring

Instagram is an image-sharing service that offers profile creation, pages, chat, sharing of live stories, and images. We use these services for internal and external communication and marketing towards clients. Instagram Personvernerklæring

LinkedIn offers services for the creation and management of business profiles and personal profiles. We use LinkedIn to engage with our professional network, access knowledge, insights, and opportunities, publish content from our channels, including reaching out to and communicating with potential new customers. Read LinkedIn’s privacy policy  here: LinkedIn Personvernerklæring 

Prismic we use in connection with the development of our website. Read Prismic’s privacy policy  here. Prismic Personvernerklæring

LegalPlant is a platform for lawyers for case registration, workflow, customer contact, and more. A license agreement has been entered into with LegalPlant, giving ECIT LAW the right to use the current version of the platform. Read LegalPlant’s privacy policy  here: LegalPlant Personvernerklæring

Third parties mentioned above can only use personal information for the purposes we have determined and described in this privacy statement, including as described in the privacy statements of our respective third parties.

We strive to ensure that all processing of personal information we undertake (or our partners and suppliers undertake on our behalf) occurs within the EU/EEA area. If we process personal information outside the EU/EEA (third countries), the EU's standard contract/clauses for the transfer of personal data to third countries will be used as the legal basis (in accordance with 2010/87/EU and C-311/18), or alternatively another legal basis for such transfer under Chapter V GDPR.

Additionally, processing will only take place after a privacy law risk assessment has been conducted in the relevant third country.

5. Confidentiality

Lawyers are subject to a legally enforced duty of confidentiality as stipulated in straffeloven (the Penal Code) § 211). All information entrusted to us in connection with an assignment is handled confidentially.

We do not share personal information in other instances or through other means than described in this privacy policy, unless the client explicitly requests or consents to it, or if the disclosure is required by law.

6. Storing of personal data

We store case documents in our case management system for the duration of the case. At the conclusion of the case, the individual case file is transferred to our archive, where it can be stored for an additional 10 years.

The accounting legislation also requires us to store specific accounting documents for a specified period. When a particular purpose necessitates storage for a given timeframe, we ensure that personal data is exclusively used for the specific purpose during this period.

7. Your rights

In accordance with applicable laws about processing of personal data, you have several rights as our client.The specific rights you have depend on the circumstances.

Right to withdraw consent: If the processing is based on your previously given consent for the processing of personal data (e.g., for marketing purposes), you have the right to withdraw this consent at any time by contacting us.

Request for access: As a client/user, you have the right to know what information we have stored about you, as long as confidentiality obligations do not prevent this. Such information can be easily obtained from us upon request. To ensure that personal information is disclosed to the correct person, we may request that requests for access be made in writing or through other means that will help us identify you as a client.

Request correction or deletion: You can always ask us to correct inaccurate information about you or request the deletion of personal data. To the extent possible, we will comply with requests for deletion unless there are compelling reasons why the information cannot be deleted, such as the need to retain the information for documentation purposes.

Request to have your data transferred (Data portability): The right to data portability allows you, as a client, upon a simple request, to access and obtain the personal information you have provided to us in order to transfer it in a machine-readable format to another law firm. If technicalities allow it, the data may in certain cases be eligible to direct transfer to the other firm. 

Lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet): If you disagree with how we handle your personal information, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).

8. Security

We have established procedures to handle personal data in a secure manner. The measures are both technical and organizational. We conduct regular assessments of security in all key systems used for handling personal data, and agreements have been made that require providers of such systems to ensure satisfactory information security.

9. Changes to the privacy policy

We reserve the right to make minor changes to this privacy policy. You can always find the latest updated version on our website. In case of significant changes, we will provide notice.

10. Contact information

If you have inquiries regarding our privacy policy or wish to exercise your rights, you can contact us: 

Name of contact person: Mathias T. Gebremichael

Contact by phone: (+47) 467 90 069

Visiting address: Møllergata 23-25, 0179 Oslo, Norge

Mailing address: Møllergata 23-25, 0179 Oslo, Norge

Contact by email: mathias@ecitlaw.com