Privacy and cookies

This privacy policy applies to Codex Advokat Oslo AS (“we”, “us” or “Codex”). We are the data controller for the processing of personal data described in this privacy policy. Our contact details are provided below.

This privacy policy applies to our processing of personal data relating to:

• private clients
• clients in criminal cases
• contact persons at business clients
• contact persons at suppliers and business partners
• individuals involved in matters in which we provide assistance
• other persons referred to in case documents to which we have access
• visitors to our websites
• persons who receive newsletters and information from Codex by email

Below, we explain the purposes for which we process personal data, the types of personal data we process, and the legal basis for that processing.

When a client contacts us to ask whether we can take on an assignment, we carry out an internal independence check (conflict check) before deciding whether to accept the matter. This serves a legitimate interest and is based on Article 6(1)(f) GDPR.

For private clients, a conflict check will normally include full name, the nature of the matter and, where relevant, creditworthiness. In general, conflict checks relating to business clients will not involve the processing of personal data.

In connection with establishing a client relationship, we also carry out customer due diligence in accordance with anti-money laundering legislation. This includes collecting documentation confirming the client’s identity, such as valid identification and the identity of the client’s contact persons. This processing is necessary to comply with our legal obligations under Article 6(1)(c) GDPR.

If we are able to accept the assignment, we register contact details and, where relevant, a copy of identification. For private clients, this processing is necessary in order to enter into a contract under Article 6(1)(b) GDPR. For business clients, the registration of contact details is based on Article 6(1)(f) GDPR.

Some legal assignments require us to access personal data relating to parties or other individuals affected by a matter. Such information may appear in documents submitted by the client or in other correspondence relating to the matter. For business-related assignments, the processing is based on Article 6(1)(f) GDPR.

In some cases, we may also process special categories of personal data, such as health data, or data relating to criminal convictions and offences. In such cases, the processing is based on Article 9(2)(f) GDPR, as it is necessary for the establishment, exercise or defence of legal claims, cf. Section 11 of the Norwegian Personal Data Act.

In order to improve and develop our legal services, we may prepare templates based on advice previously provided. Personal data will be anonymised unless the template is prepared for the same client to whom the data relates. As a knowledge-based organisation, we may also draw on experience from previous matters when providing advice. The legal basis is our legitimate interest under Article 6(1)(f) GDPR.

Separate case files are created for assignments carried out on behalf of clients. Time spent and costs incurred in a matter are recorded in our accounting systems. For business clients, this processing is based on Article 6(1)(f) GDPR. For private clients, it is a necessary part of fulfilling the agreement under Article 6(1)(b) GDPR.

As a general rule, we retain case documents for 13 years after the assignment has ended. Once a matter is closed, it is stored in our archive systems, electronically and/or physically. This retention period is considered necessary both for the client and for ourselves, since questions or disputes may arise later where the archived information becomes relevant again.

The legal basis is Article 6(1)(f) GDPR and Article 9(2)(f) GDPR, cf. Section 11 of the Norwegian Personal Data Act.

Accounting legislation also requires us to retain certain accounting documents for specified periods. Where a specific purpose requires storage for a certain period, we ensure that the personal data is used only for that purpose during that period.

Contact details received from business clients may be used to address invoices where requested by the client. For private clients, invoices are sent to the person’s residential address or other address provided. The legal basis is Article 6(1)(f) GDPR for business clients and Article 6(1)(b) GDPR for private clients.

Personal data stored in our IT systems may be accessible to us or our suppliers in connection with system updates, implementation or follow-up of security measures, troubleshooting or other maintenance. The legal basis is Article 6(1)(f) GDPR and our legal obligation to maintain appropriate information security under Articles 32 and 6(1)(c) GDPR.

Lawyers are subject to a duty of confidentiality. All information entrusted to us in connection with an assignment is handled confidentially. We may share personal data with courts, counterparties and other advisers where necessary to carry out an assignment.

Our IT service providers and their subcontractors may also have access to personal data where data is stored with, or otherwise made available to, the provider under our agreement with them. We always enter into the necessary data processing agreements in such cases. Any transfer of personal data outside the EEA will be based on a lawful transfer mechanism, such as the EU Standard Contractual Clauses.

We do not disclose personal data in any other way unless the client explicitly requests or consents to this, or where disclosure is required by law.

In connection with marketing activities such as courses, events and newsletters, we may collect and process the following personal data:

• contact information, such as name, email address, telephone number, job title and workplace
• responses to surveys and evaluations
• photographs and videos from courses, seminars and other Codex events

If you subscribe to our newsletter, you consent to your email address being used to send newsletters and for anonymised ad personalisation. Your email address is never shared in plain text and is processed securely using hashing technology.

We process personal data in connection with marketing activities in order to follow up clients and others who have actively requested information from us. This includes information about our services, legal updates, and invitations to events and courses.

When arranging courses and events, we also process personal data in order to inform participants, administer the event and prepare participant lists.

We may also use personal data to tailor and evaluate the effect of our marketing activities.

It is voluntary to receive newsletters and to register for courses, seminars and events. Our processing of your personal data is therefore based on your consent under Article 6(1)(a) GDPR, unless another legal basis is stated.

Where we have received an email address in connection with a legal assignment, the legal basis may instead be Article 6(1)(f) GDPR. If an existing customer relationship exists, marketing may also take place in accordance with Section 15(3) of the Norwegian Marketing Control Act.

Where photographs and/or videos are taken at Codex events, we comply with Section 104 of the Norwegian Copyright Act concerning the right to one’s own image before publication. We will therefore request consent before publishing images where an individual, rather than the event itself, is the main subject.

For certain events, such as courses and seminars, we may cooperate with co-organisers. In such cases, it may be necessary to share contact information with them. If you have consented to receive newsletters and other marketing communications, this consent will also cover sharing information with our co-organisers.

In some cases, we use services provided by third-party suppliers, such as IT providers, marketing agencies, newsletter platforms and collaboration systems. These providers may process personal data on our behalf. We always enter into the necessary data processing agreements in such cases.

Information collected in connection with marketing activities is stored in our CRM system and other internal systems, as well as in the systems of our partners where necessary to fulfil the purpose of collection.

We only process and store personal data for as long as necessary for the intended purpose or as required under agreements and applicable law. You may also request deletion of your personal data.

We use Customer Match to reach users directly on their Google profiles. When these services are used, your email address or telephone number may be matched against information registered on your Google account.

The information processed is encrypted, and the data is not retained for longer than necessary to create the target audiences and ensure compliance with applicable guidelines. Once these processes are completed, the data files are deleted immediately.

The legal basis for this processing is our legitimate interest in providing relevant marketing to users who are customers both of us and of Google, pursuant to Article 6(1)(f) GDPR.

We collect and process personal data through services such as Facebook, YouTube, Instagram and LinkedIn, as well as through the following websites:

• codex.no
• arbeidsrettsadvokater.no
• eiendomsadvokater.no
• personskadeadvokater.no
• rettighetsadvokater.no
• familierettsadvokater.no
• entrepriserettsadvokater.no
• skatteadvokater.no
• selskapsrettsadvokater.no
• codex.arbeidsrettsadvokater.no
• codex.eiendomsadvokater.no
• codex.personskadeadvokater.no
• codex.rettighetsadvokater.no
• codex.familierettsadvokater.no
• codex.transaksjonsadvokater.no
• codex.entrepriserettsadvokater.no

Codex collects information through forms on our websites and through cookies. Providing this information is voluntary. However, if you choose not to provide personal data, we may be unable to provide access to certain products or services. You can control cookies through your browser settings and other tools.

Our social media profiles are established in accordance with the terms of the relevant platforms. Following our profiles requires a user account on the relevant social media platform.

Through our websites, we may collect and process:

• name, email address, telephone number and any information you submit through contact forms
• name, email address and telephone number when downloading or purchasing products or services
• IP address and information about website usage, such as visited pages and browser settings

We do not link this information directly to you as a user. It is used to administer and maintain our websites.

We encourage users not to provide sensitive personal data, such as health data, religion, political opinions, sexual matters, criminal convictions or offences, through our contact forms.

We may use information about you for the following purposes:

• sending newsletters and information about our services
• providing access to our products and services
• informing you about our services, seminars, courses and other events
• generating statistics, aggregation and administration in order to improve website functionality and user experience

We may create profiles based on collected information in order to offer you the most relevant services and provide good customer service. Unless another legal basis is stated, this processing is based on your consent under Article 6(1)(a) GDPR.

We also process personal data in connection with our social media presence in order to share information and communicate with users. The legal basis for this is our legitimate interest under Article 6(1)(f) GDPR.

Information collected through website forms and cookies is stored in our CRM system and other internal systems, as well as in the systems of our partners where necessary to fulfil the purpose of collection.

We only process and store personal data for as long as necessary for the intended purpose or as required by law or agreement. You may also request deletion of your personal data.

When you visit our websites, we use cookies. If you do not wish to accept our use of cookies, you may withdraw your consent by changing your browser settings. Please note, however, that this may affect the functionality of our websites.

We use the following cookies and related technologies for marketing and analytics purposes:

• Google Analytics
• Google Ads
• Microsoft Ads
• LinkedIn
• HubSpot
• Cookiebot
• Vimeo
• Meta (formerly Facebook)
• TikTok

We use consent as the legal basis for cookie-related processing under Article 6(1)(a) GDPR.

You have rights relating to personal data concerning you. Which rights apply will depend on the circumstances.

We have established procedures to handle personal data securely. These measures are both technical and organisational. We carry out regular assessments of the security of our key systems used to process personal data, and we have agreements in place requiring suppliers of such systems to maintain satisfactory information security.

We reserve the right to amend or update this privacy policy. The latest version will always be available on our website.

If you have any questions or comments about this privacy policy, or if you wish to exercise your rights, please contact us:

Codex Advokat Oslo AS
Postboks 8744 St. Olavs plass
Oslo, Norway

Email:gdpr@codex.no
Phone:+47 22 93 38 50