Privacy policy

2. CATEGORIES OF PERSONAL DATA WE PROCESS

Lassen Ricard only collects and processes personal data to the extent necessary for the stated purposes, and if there is a lawful basis for doing so.

We therefore usually only ask to receive general personal information such as name, position and contact information. Your contact information will typically be phone number, email address and place of work or home address.

However, depending on the type of case, it may be necessary for Lassen Ricard to obtain and process other types of personal data, including sensitive data.

Finally, in order to comply with our obligations under specific legislation, such as the Danish Anti-Money Laundering Act, it will often be necessary for us to obtain your civil registration number (CPR number) and a copy of your passport/health insurance card.

You can read more about what personal data about you we process under the different categories in section 3.

Establishing and building client relationships

In order to provide our legal assistance, we process various personal data in connection with the establishment and building of the client relationship.

We process:

General personal data in the form of name, address, title/position, company, CVR number, phone number and email address in order to establish the client relationship, to set up the client and the case in our internal case system, to comply with the Code of Conduct for the Danish Bar and Law Society on conflicts of interest, to be able to communicate with the client, and to build the client relationship.
Name, CPR number and copy of passport or driver's licence of clients and clients' beneficial owners in order to comply with our obligations under the Danish Anti-Money Laundering Act, including implementation and documentation of client due diligence procedures (KYC procedures).
Sensitive personal data in the form of information about clients' and clients' beneficial owners' status as politically exposed persons (PEP) in order to comply with our obligations under the Danish Anti-Money Laundering Act.

Our processing is based on the following legal grounds:

Article 6(1)(b) of the General Data Protection Regulation (GDPR) on the performance of a contract to which the client is a party.
Article 6(1)(c) of the GDPR on compliance with a legal obligation incumbent on our company.
Article 6(1)(f) of the GDPR (the balancing of interests rule), where the legitimate interest consists in establishing and building client relationships.
Section 11(2)(1) of the Danish Data Protection Act on the processing of civil registration numbers when it follows from the legislation.
Article 9(2)(g) of the GDPR on the processing of sensitive personal data when necessary for reasons of substantial public interest.
The Danish Anti-Money Laundering Act, the Danish Administration of Justice Act and the Code of Conduct for the Danish Bar and Law Society in force at any given time.

Legal assistance and advice (Clients and third parties associated with our clients' cases)

In order to provide legal assistance and advice to our clients, we process a range of personal data about our clients and other persons associated with our clients and cases, such as business owners, managers, board members, employees, customers, suppliers, debtors, parties, counterparties, representatives, witnesses, experts and arbitrators. We process:

General personal data in the form of name, address, email address, phone number, position and relation to the case in order to be able to carry out the assignment that a client assigns to us, including making any necessary registrations in the authorities' digital systems.
Other general personal data of a specific nature that is part of the case and is necessary to carry out an assignment from the client. Depending on the nature of the assignment, it can be, for example:
- Disputes, litigation and arbitration proceedings:
  Financial information, contractual arrangements, compensation and damages matters, correspondence and information of a purely private nature such as family matters.
- Private matters such as wills, marital agreements, estate administration and real estate transactions:
  Financial information, family relationships, birth and death certificates and other information of a purely private nature.
- Employment law advice:
  Personnel information, salaries, terms of employment, and warnings and other sanctions.
General personal data in the form of name, address, position and relation to the client and the case in order to identify potential impartiality or conflicts of interest.
Information about criminal offences and sensitive personal data, such as information about political opinions, trade union membership and health information, if the specific circumstances of a case with which we assist call for such information in order for us to be able to carry out the assignment from the client.
CPR number when we need this to carry out the client's assignment, including e.g. for making registrations in public-authority databases, such as virk.dk, tinglysning.dk and minretssag.dk.

Our processing is based on the following legal grounds:

Article 6(1)(b) of the GDPR on the performance of a contract to which the client is a party.
Article 6(1)(c) of the GDPR on compliance with a legal obligation incumbent on our company.
Article 6(1)(f) of the GDPR (the balancing of interests rule), where the legitimate interest consists in carrying out the assignment that a client assigns to us.
Article 9(2)(f) of the GDPR, if the processing of sensitive data is necessary for the establishment, exercise or defence of legal claims.
Article 9(2)(a) and (c) of the GDPR if the data subject has given explicit consent to the processing of sensitive personal data or if the processing of sensitive personal data is necessary to protect the vital interests of the data subject or of another natural person in cases where the data subject is physically or legally incapable of giving consent.
Section 8(3) of the Danish Data Protection Act, cf. Article 10 of the GDPR, if the processing of information about criminal offences is necessary to safeguard a legitimate interest and this interest clearly outweighs the interests of the data subject.
Section 8(4) of the Danish Data Protection Act on the disclosure of information about criminal offences if the consideration of public or private interests clearly outweighs the consideration of the interests that would justify non-disclosure.
Section 8(5) of the Danish Data Protection Act, cf. section 7(1), if the processing of information about criminal offences is necessary to pursue a legal claim.
Section 11(2)(1) of the Danish Data Protection Act on the processing of a CPR number when it follows from the legislation.
Section 11(2)(4) of the Danish Data Protection Act, cf. Section 7(1), when the processing of a CPR number is necessary for the establishment, enforcement or defence of a legal claim.

Administration of foundations and associations

We process personal data as part of our secretarial assistance to private foundations and associations. The processing takes place, among other things, for the purposes of updating member lists, convening and administering meetings and events, collecting membership fees, carrying out board work and administering grant applications. We process:

General personal data of members of associations, such as name, email, phone number, position, education, place of employment and payment transactions with the association's bank account in order to be able to carry out our secretarial assistance to the association.
General personal data on grant applicants in the form of name, position, email, phone number, place of employment, CV, educational documents and other personal data that the applicant shares with the foundation, in order to assess the application and otherwise exercise our role as administrator of the foundation.
CPR number and bank account information for persons who receive fees/remuneration from a foundation or association in order for us to pay the fee/remuneration, and for grant applicants who receive funds from a foundation in order for us to pay the funds.

Our processing is based on the following legal grounds:

Article 6(1)(c) of the GDPR on compliance with a legal obligation.
Article 6(1)(f) of the GDPR (the balancing of interests rule), where the legitimate interest consists in being able to exercise our role as administrator of the foundation or association, including providing secretarial assistance, assessing grant applications and administering payments.
Section 11(2)(1) and (4) of the Danish Data Protection Act when it is necessary to process the CPR number for unambiguous identification, to comply with legal requirements or for the establishment, exercise or defense of a legal claim.

Professional network, suppliers and business associates

We process personal data about our professional network, suppliers and business associates in order to ensure the necessary operation of our company. We process:

General personal data about our professional network in the form of events lists with information such as name, email address, position and seniority.
General personal data on suppliers and business associates, as well as their contact persons, in the form of name, address, email, phone number, position and bank details.

Our processing is based on the following legal grounds:

Article 6(1)(b) of the GDPR on processing that is necessary for the performance of a contract.
Article 6(1)(f) of the GDPR (the balancing of interests rule), where the legitimate interest consists in maintaining contact and managing our relationship with a professional network or suppliers of necessary services for the operation of our company.

Job applicants

In connection with the recruitment of new employees, Lassen Ricard processes the personal data that we receive through job applications, CVs, transcripts of records, other enclosures, references from previous employers and, if relevant, searches on the internet, including social media. We process:

General personal data such as name, email address, phone number, date of birth, education, information about previous employers, experience, references and grades in order to recruit new employees to our company, including assessing the suitability of each applicant.
Private criminal record, if the applicant is offered employment, to assess the applicant's suitability for the job, and to comply with our obligations under the Danish Anti-Money Laundering Act to screen employees prior to employment.

NB: As a general rule, we do not process sensitive personal data about job applicants and kindly ask that you do not include sensitive personal data such as religion, trade union membership and sexuality in your application. We also ask that you cross out your CPR number on e.g. diplomas, as we do not need to process your CPR number in the application process.

Our processing is based on the following legal grounds:

Article 6(1)(b) of the GDPR on processing that is necessary in order to take steps at the request of the data subject prior to entering into a contract.
Article 6(1)(f) of the GDPR (the balancing of interests rule), where the legitimate interest consists in recruiting suitable employees to our company.
Section 8(3) of the Danish Data Protection Act, cf. Article 10 of the GDPR, on the processing of information about criminal offences that is necessary to safeguard a legitimate interest (in this case, security considerations) that clearly outweighs the interests of the data subject.
Article 6(1)(c) of the GDPR on compliance with a legal obligation, cf. section 8(1) of the Danish Anti-Money Laundering Act on screening of employees.
Article 9(2)(b) and (f) of the GDPR, if we, as an exception, process sensitive personal data.

Visitors and event participants

In connection with visits to Lassen Ricard's offices, e.g. in connection with visitors' participation in meetings and events or the delivery of goods and services, we process personal data about the visitor for security and administrative reasons. We process:

General personal data of all visitors in the form of name and place of employment. In some cases, visitors will be asked to show an identification card in the form of, e.g., a driver's licence. The processing takes place for security reasons, including to ensure that no one has access to our offices without a legitimate reason.
General personal data in the form of name, email, position, place of employment and any dietary restrictions of course participants in order to be able to organise the course, administer your participation in the course and prepare and send course certificates and any relevant material to you.

Our processing is based on the following legal grounds:

Article 6(1)(f) of the GDPR (the balancing of interests rule), where the legitimate interest consists in maintaining security measures in our office and preventing/investigating potential criminal activity, and/or organising courses and events for business partners as part of the operation of our law firm.
Article 6(1)(b) of the GDPR on the performance of a contract when the processing is necessary in connection with your registration for an event.

Social media

Lassen Ricard has a profile on LinkedIn and Instagram.

If you interact with our social media profiles, we process the personal data you make available on the page on the platform. This may include your name, photo and information in the comments to our posts.

Lassen Ricard is considered a joint data controller for the processing of your personal data. When you visit our social media profiles, the company that facilitates the social media is also a data controller for the personal data you make available. In this regard, we refer to: Instagram's Privacy Policy and LinkedIn's Privacy Policy.

5. DISCLOSURE OF YOUR PERSONAL DATA

As a general rule, Lassen Ricard is bound by a duty of confidentiality under the Danish Administration of Justice Act and the Code of Conduct for the Danish Bar and Law Society.

We only disclose your personal data to others if it is necessary, e.g. to safeguard our clients' interests, and there is a legal basis for this, or if we are under an obligation to do so.

In such cases, the disclosure may be made to e.g. relevant authorities, courts, boards, bankruptcy courts, arbitration tribunals, our clients, counterparties, witnesses, third-party advisers, heirs, banks and mortgage credit institutes and insurance companies.

In addition, we disclose personal data to our data processors, e.g. our IT suppliers, who process personal data on our behalf and in accordance with our instructions in order to support the necessary operation of our company.

We do not disclose personal data for the purpose of commercial exploitation, marketing or the like.

6. TRANSFER TO RECIPIENTS IN COUNTRIES OUTSIDE THE EU/EEA, INCLUDING INTERNATIONAL ORGANI-SATIONS

We do not transfer your personal data to recipients outside the EU/EEA unless it is necessary for our handling of the client relationship or carrying out of the assignment to which the personal data is linked.

If it is necessary to transfer your personal data to recipients outside the EU/EEA, such as foreign liaison lawyers, public authorities or courts, we will ensure that necessary security guarantees for the protection of your personal data are met in connection with the transfer.

We do this by ensuring (1) that the transfer takes place to a secure third country/organisation that is covered by an adequacy decision adopted by the EU Commission, or (2) that the transfer takes place on another basis that ensures the necessary guarantee of adequate protection of the personal data in accordance with Articles 46-49 of the GDPR, such as entering into the EU Commission's standard contractual terms on data protection with the recipient.

You have the right to know the transfer basis we use and to obtain a copy of the necessary guarantees. You are welcome to contact us if you wish to do so (see section 1).

7. STORAGE OF YOUR PERSONAL DATA

We store your personal data for as long as necessary to be able to perform the assignment for which your personal data is processed.

As a general rule, we store all information collected in connection with the provision of legal services for 10 years after the conclusion of the case. In special cases, the storage period will be shorter or longer in order to comply with legal requirements for deletion or storage.

When assessing how long it is necessary to store your personal data, we take into account (a) the need to comply with documentation requirements in legislation, e.g. the Danish Bookkeeping Act, the Danish Anti-Money Laundering Act and the Danish Statute of Limitations, (b) our obligations under the Code of Conduct for the Danish Bar and Law Society on conflicts of interest, and (c) our ability to document your case in the event of, for example, a subsequent liability claim.

Below, you can see how long we store your personal data that has been collected in a range of contexts other than the provision of legal services:

Anti-money laundering check: Personal data collected for use in the statutory anti-money laundering check is stored for 5 years after the conclusion of the case.
Bookkeeping records: Personal data included in bookkeeping records is stored for 5 years after the end of the financial year to which the records relate.
Association members: Membership information is stored until the member resigns from the association or until the member has been a passive member for 3 years (i.e. has not paid their membership fee).
Job applications: We store job applications (including enclosures) for 6 months after receipt of the application.
Employees' next of kin: Information about next of kin is deleted when the employee in question resigns from their position at Lassen Ricard.
Visitors: Registrations of visitors at the reception desk will be deleted after 6 months.

Right to transmit information (data portability)

In certain cases, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to have this personal data transferred from Lassen Ricard to another data controller.

You can read more about your rights on the Danish Data Protection Agency's website: https://www.datatilsynet.dk/borger/hvad-er-dine-rettigheder (in Danish)/https://www.datatilsynet.dk/english/fundamental-concepts-/-what-are-your-obligations/rights-of-the-data-subjects (in English), and in the Danish Data Protection Agency's guidance on the rights of data subjects, which you can find at www.datatilsynet.dk (only available in Danish).

10. THE RIGHT TO WITHDRAW CONSENT

If our processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. You can do this by contacting us (see section 1).

If you withdraw your consent, we will cease to process your personal data and delete it, unless we have the right or obligation to continue processing or storing your personal data on another basis, including under applicable law.

Note: If you withdraw your consent, it does not affect the lawfulness of the processing that took place before you withdrew your consent. The withdrawal therefore only takes effect from the time when the withdrawal is made.