Setterwalls Privacy Policy

Transcription

1 Setterwalls Privacy Policy In the course of our business, we, Setterwalls Advokatbyrå AB, reg. no , ( Setterwalls ) and the office companies Setterwalls Advokatbyrå Stockholm AB, reg. no , Setterwalls Advokatbyrå Göteborg AB, reg. no , and Setterwalls Advokatbyrå Malmö AB, reg. no , may process personal data relating to you. Personal data is data which directly or indirectly relates to a living individual; e.g., name, phone number, and address. You are not required to furnish any personal data with us (except as required by law, e.g., pursuant to a subpoena), but if you do not do so, we may not be able to undertake an engagement for you, process your job application, send newsletters or seminar invitations to you, etc. It is important for us to protect your personal data and to ensure that we process such data fairly and lawfully. In this policy, under each of the headings: Personal data relating to engagements (section 1) Personal data relating to job applicants (section 2) Personal data relating to contact person of clients, suppliers and collaboration partners (section 3) Personal data relating to seminars, events, newsletters and other mailings (section 4) Personal data relating to website visitors (section 5) Personal data relating to other persons (section 6) we inform you about who is responsible (data controller) for the processing of personal data relating to you, the types of personal data we may process and for which purposes and on the basis of which legal grounds, how the data is collected, with whom the data may be shared, and how long the data may be stored. In this policy we also inform you about the related rights you have and how you can contact us (the data controllers) with questions about this policy or our processing of personal data Personal data relating to engagements When you or someone else engages Setterwalls for an engagement, we may collect, store and otherwise process personal data relating to you in accordance with this section 1. Who is data controller? Each office company is controller for the processing relating to the engagement carried out by its staff, and is simultaneously processor for Setterwalls and for the other office company/companies, which are involved in the performance of the engagement. 1 This policy does not relate to our processing of personal data relating to our staff. SW283348/3 1

2 What personal data may be processed? The personal data we may process comprises: (a) (b) (c) (d) (e) (f) (g) On client that is a natural person: name, personal identification number (or other information on date of birth), contact information (such as address, address and telephone number), copy of passport or other identification, engagement title, information on the overall objective of the engagement, information of the origin of the assets that will be used in connection with the engagement, information on whether the client or any affiliate or known associate of them is a political exposed person, and name and profession/position of such politically exposed person, and our invoicing, payment history and payment reminders to/with the client. On client that is a legal person: name, personal identification number (or other information on date of birth), title, employer, contact details (such as address, address and telephone number) and copy of passport or other identification for contact person of the client and any beneficial owner of the client, data in the certificate of incorporation or similar for the client, as well as information on whether such beneficial owner or any affiliate of known associate of such person is a political exposed person, and name and profession/position of such politically exposed person. On counterparty that is a natural person: name, personal identification number (or other information on date of birth), contact information (such as address, address and telephone number) as well as engagement title. On counterparty that is a legal entity: name, title, employer, and contact information (such as address, address and telephone number) of contact person of the counterparty. On other persons related to the engagement (e.g., legal representative of the counterparty, arbitrators, other consultants engaged in connection with the engagement, and witnesses): name, title, employer, and contact information (such as address, address and phone number). Single pieces of data relating to that the client, a contact person or beneficial owner of the client, or someone they are acting for in connection with the engagement have been convicted of crimes, have been involved in several bankruptcies, have had bad publicity relating to business matters, or otherwise can be assumed to be unserious, or single pieces of data relating to that the engagement is, or is suspected to be, part of money laundering or other criminal offence. Other single pieces of data relating to criminal conviction or offences, or sensitive personal data (i.e., information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or concerning health or sexual life) when the engagement, on SW283348/3 2

3 (h) the basis of its nature, raises such personal data (e.g., an engagement relating to dismissal or termination of employment due to personal reasons, or alleged discrimination). Other personal data than the data referred to in (a) (g) above, which the engagement, on the basis of its nature, raises. Otherwise, we will not process any sensitive personal information. How is personal data collected? The personal data is provided to us by, or on behalf of, you, the client, the counterparty, the counterparty s counsel or other persons related to the engagement, or collected by us from such persons or from private or public records or sources. Personal data referred to in (f) above is not actively collected by us, and personal data referred to in (f) and (g) above is collected only to the limited extent necessary for the purpose. For which purposes and on which legal grounds may personal data be processed? Personal data may be processed for the purposes of enabling and making required conflict of interest checks, evaluating and deciding whether we can undertake or need to resign from the engagement, and fulfilling our legal, regulatory, and risk management obligations in general, respectively. Such processing is carried out on the basis of our legitimate interest of efficient and correct such checks, evaluation and decision-making, and on the basis that it is necessary for compliance with our obligations under the Swedish Anti Money Laundering legislation, EU s Market Abuse Regulation, other applicable legislation as well as the Rules of the Swedish Bar Association, respectively. Personal data may be processed for the purposes of enabling and effectuating invoicing, accounting for fees and other aspects of the engagement and accounts receivable recovery, and to otherwise protect our rights related to the engagement, respectively. Such processing is carried out on the basis of our (and the client s) legitimate interest of efficient and accurate billing, accounting for fees and other aspects of the engagement and accounts receivable recovery, and on the basis that it is necessary for the establishment, exercise or defence of our legal claims, respectively. Personal data may be processed for the purpose of executing the engagement and our acting as legal representative of the client. Such processing is carried out on the basis of our and the client s legitimate interest of efficient and accurate meetings and communications with the persons involved in the engagement, and efficient and accurate documentation, administration, management, and evaluation of the engagement, and on the basis that it is necessary for the establishment, exercise or defence of the client's legal claims, respectively. SW283348/3 3

4 Personal data may be processed for the purposes of internal statistics and analysing and developing of our business, respectively. Such processing is carried out on the basis of our legitimate interest to follow and develop our business. Despite the above-mentioned, personal data referred to in (f) above may be processed solely for the purposes of evaluating and deciding if we can undertake or need to resign from the engagement, and fulfilling our legal obligations, respectively. Such processing is carried out on the basis of, and only to the limited extent, that it is necessary to fulfil our obligations under the Swedish Anti Money Laundering legislation. Despite the above-mentioned, personal data referred to in (g) above may be processed only for the purpose of executing the engagement and our acting as legal representative of the client. Such processing is carried out on the basis of, and only to the limited extent, that it is necessary for the establishment, exercise or defence of the client s legal claims. With whom may personal data be shared? The personal data may be the subject of legal attorney privilege and our obligation of secrecy and is shared, subject to the restrictions imposed by the Rules of the Swedish Bar Association, with the office companies, but will not be disclosed to any third parties except in the following cases (and then in compliance with the said rules): Personal data may be disclosed to the client s insurer (legal expenses insurance), the counterparty, the counterparty s counsel, an arbitral tribunal, a court, a government authority or agency, a bank, other consultant engaged in connection with the engagement, or similar persons to the extent necessary to protect the client s interests and does not conflict with the client s instructions. Personal data may be disclosed to the client s auditor or other persons in accordance with the client s instructions. Personal data may be disclosed to the Swedish Financial police when and to the extent we are required to do so under the Swedish Anti Money Laundering legislation. Personal data may be disclosed to our bank when we hold funds of a client with that bank, if the bank requests information on the client and its beneficial owner(s) and our documentation on this in accordance with the Swedish Anti Money Laundering legislation, provided that the client, as a condition for the client s use of our client accounts, have consented to that such disclosure may be made. Personal data may be disclosed to the Swedish Bar Association bar when and to the extent we are required to do so by the Rules of the Swedish Bar Association. SW283348/3 4

5 Personal data may be disclosed to a governmental authority or agency or someone else when and to the extent we are required to do so under applicable law. Personal data may be disclosed to our professional liability insurer, our professional liability insurance brokers, counsel that we or such insurer have engaged, the Swedish Enforcement Authority (Sw. Kronofogdemyndigheten) or a debt collector, a court, an arbitral tribunal, or to our counterparty or its counsel to the extent necessary to protect our legal interests. As a general rule, no personal data will be transferred outside the EU/EEA. Such transfer may however occur when it is necessary in the individual case for the purpose of the processing (e.g., to instruct counsel in the USA or other country outside the EU/EEA on behalf of the client), in which case we will ensure that the transfer is subject to adequate safeguards in accordance with EU s General Data Protection Regulation. Such appropriate safeguards may comprise of, for example, that the receiving country ensures an adequate level of protection or be ensured through the use of EU-approved standard contractual clauses. If you want information on such transfer, you must submit a written request to us via the contact details set out in section 10. For how long is personal data stored? Personal data is stored for as long as the Rules of the Swedish Bar Association requires us to keep the file of the engagement, i.e., until ten years after completion of the engagement (or for such longer time as is called for by the nature of the engagement), whereafter the data is deleted. Despite the said, we may store names, personal identification numbers (or equivalent) and engagement titles of clients and counterparties that are natural persons in order to enable us to make necessary conflict checks in accordance with the Rules of the Swedish Bar Association. See also sections 3 and 6 regarding certain data relating to contact persons et al. 2. Personal data relating to job applicants When you apply for a job with us or otherwise communicate you interest for such a job, we may collect, store and otherwise process personal data relating to you in accordance with this section 2. Who is data controller? Each office company is controller for the processing relating to application for a job, or communication of interest of a job, at the office carried out by its staff, and is simultaneously processor for the other office company/companies, which are covered by such application or communication of interest. What personal data may be processed? The personal data we may process comprises name and contact information (such as address, phone number and address), personal identification number (or other information on date of birth), gender, job applied for or office and job of interest, information in SW283348/3 5

6 personal letter, CV and merits and other documents provided, information furnished by reference persons, your test scores, notes and summaries of interviews and discussions during the recruitment process, as well as summaries and analyses relating to you by recruitment consultant or other service provider engaged in connection with the recruitment. We will not process any sensitive personal information (i.e., information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or concerning health or sex life). How is personal data collected? Personal data is provided to us by, or on behalf of, you through our digital recruitment tool or otherwise, or by a recruitment consultant or other service provider engaged in connection with the recruitment, and is collected from reference persons, by the tests you undertake in the course of the recruitment process and from private or public records and other sources. For which purposes and on which legal grounds may personal data be processed? Personal data may be processed for the purpose of performing the recruitment process. Such processing is carried out on the basis of our legitimate interest of efficient and correct recruitment processes. If you have consented to that personal data may be processed for future recruitments, personal data may be processed for that purpose, which processing is then carried out on the basis of such consent. With whom may personal data be shared? Personal data may be shared with the other office companies and may be disclosed to any recruitment consultant or other service provider engaged in connection with the recruitment process. No personal data is transferred outside the EU/EEA. For how long is personal data stored? Personal data may be stored until the recruitment process is completed, whereafter the data will be deleted. If you have consented to that personal data may be processed for future recruitments, such data may instead be stored for two years after you gave the consent (or until the consent is revoked), whereafter the data is deleted. Despite the above, we may store data for as long as a job seeker not employed can take legal actions in respect of the recruitment. 3. Personal data relating to contact persons of clients, suppliers and collaboration partners If you are, or are a contact person of, client, supplier or collaboration partner to us, we may collect, store and otherwise process personal data relating to you in accordance with this section 3. Who is data controller? Each office company is controller for the processing carried out by its staff relating to its client, supplier and collaboration partner relationships, and is simultaneously processor for Setterwalls and for the other office company/companies, which are covered by the client, supplier or collaboration partner relationship. SW283348/3 6

7 What personal data may be processed? The personal data we may process comprises name, title, employer, contact details (such as address, address and telephone number), information about your contact persons with us, information on areas of interest for newsletter and other mailings, information on participation in our seminars and events, as well as notes and summaries from meetings with you (except in the context of an engagement). We will not process any sensitive personal data (i.e., information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or concerning health or sex life). In the context of an engagement, additional personal data may be processed in accordance with section 1. How is personal data collected? Personal data is provided to or collected by us in connection with an engagement in accordance with section 1, or is otherwise provided to us by, or on behalf of, you, the client, the supplier, the collaboration partner or someone who mediates contact between us, or is collected by us from such persons or from private or public records or other sources. For which purposes and on which legal grounds may personal data be processed? Personal data may be processed in accordance with section 1. Personal data may be processed for the purpose of managing the relationship with the client/supplier/collaboration partner. Such processing is carried out on the basis of our legitimate interest to manage the relationships with our clients, suppliers and collaboration partners. Personal data may be processed for the purposes of, through you, maintaining and developing the relationship with the client/supplier/collaboration partner, and, if you have not objected against that, marketing our services (e.g., through newsletters and other mailings, and invitations to seminars and events), respectively. Such processing is carried out on the basis of our legitimate interest to maintain and develop relationships with our clients, suppliers and collaboration partners, and to market our services, respectively. If you have not objected against that, your personal data may be processed, subject to the Rules of the Swedish Bar Association, for the purpose of facilitating industry and market researches by appointed service providers (such as Law Firm of the Year, Chambers and Partners and Legal 500 researches and rankings), and analysing and developing our business, respectively. Such processing is carried out on the basis of our legitimate interest to benchmark and develop our business. If you have consented thereto, your personal data may be processed for the purpose of using you as reference person for another client/supplier/collaboration partner or potential client/supplier/collaboration partner (e.g., in SW283348/3 7

8 connection with public procurement). Such processing is carried out on the basis of such consent. With whom may personal data be shared? The personal data may be the subject of legal attorney privilege and our obligation of secrecy and is shared, subject to the restrictions imposed by the Rules of the Swedish Bar Association, with the office companies, but will not be disclosed to any third parties except in the following cases (and then in compliance with the said rules): Personal data may be disclosed in accordance with section 1. Personal data may be disclosed to a client, supplier or collaboration partner, or a potential client, supplier or collaboration partner, requesting a reference about us. Personal data may be disclosed to a service provider engaged for performing industry or market research. As a general rule, no personal data will be transferred outside the EU/EEA. Such transfer may however occur when it is necessary in the individual case for the purpose of the processing, in which case we will ensure that the transfer is subject to adequate safeguards in accordance with EU s General Data Protection Regulation. Such appropriate safeguards may comprise of, for example, that the receiving country ensures an adequate level of protection or be ensured through the use of EU-approved standard contractual clauses. If you want information on such transfer, you must submit a written request to us via the contact details set out in section 10. For how long is personal data stored? Personal data is stored in accordance with section 1 to the extent the data is part of an engagement. In addition, personal data may be stored as long as the client/supplier/collaboration partner relationship is ongoing and is deleted within three months after the client/supplier/collaboration partner relationship is terminated by us or the client/supplier/collaboration partner or after we having been informed that your position as contact person of the client/supplier/collaboration partner has ceased. Despite the said, personal data comprising name, title, employer, contact details (such as address, address and telephone number) and information on areas of interest for newsletter and other mailings may be stored also thereafter for processing for marketing purposes until you object against that, whereupon it will be deleted. In addition, we will always store your personal data to the extent and for the period of time that we are required to by law, including the Swedish Bookkeeping Act. 4. Personal data relating to seminars, events, newsletters and other mailings When you, through our website, social media channels, our digital mailing/invitation system or otherwise notify us of your interest of our seminars, events, newsletters or other mailings or register for any of our seminars or SW283348/3 8

9 events, we may collect, store and otherwise process personal data relating to you in accordance with this section 4. Who is data controller? Each office company is controller for the processing carried out by its staff relating to mailings of newsletters or invitations etc. or relating to registration for seminars or events, and is simultaneously processor for Setterwalls and for the other office company/companies, which are concerned by such mailing or registration. What personal data may be processed? The personal data we may process comprises name, title, employer, contact details (such as address, telephone number and address), information about areas of interest for newsletter and other mailings, information on registration for participation in seminars or event and, in the case of a seminar or event offering food, special food preferences. How is personal data collected? Personal data is provided to us by, or on behalf of, you through our website, our social media channels, our digital mailing/invitation system or otherwise. For which purposes and on which legal grounds may personal data be processed? Personal data may be processed for the purpose of administering the submission to you of invitations to seminars and events, newsletters and other mailings. Such processing is carried out on the basis of our legitimate interest to submit such mailings to you in accordance with your specified preferences. Personal data may be processed for the purpose of administer the arranging (including in respect of food) of seminars and events with you as participant. Such processing is carried out on the basis of our legitimate interest to administer seminar and event with you as participant. With whom may personal data be shared? Personal data will not be disclosed to any third parties, except through the name tag you will be offered to wear during a seminar or event, or through a list of attendees handed out in connection with a seminar or event. No personal data will be transferred outside the EU/EEA. For how long is personal data stored? Information on your food preferences will be deleted as soon as the related seminar or event has been held. Other personal data may be stored until you deregister/unsubscribe for our seminars, events, newsletters and other mailings, whereupon they are deleted. 5. Personal data relating to website visitors When you use our website, we will (in addition to the personal data you may provide us via our website through our digital recruitment tool, as outlined in section 2, or by notifying us of your interest of seminars, events, newsletters or other mailings or registering for any of our seminars or events, as outlined in SW283348/3 9

10 section 4) collect, store and otherwise process personal data relating to you in accordance with this section 5. Who is data controller? Each office company is controller for the processing relating to website visitors carried out by its staff, and is simultaneously processor for Setterwalls and for the other office companies. What personal data may be processed? The data we may process comprises of IP address (which are made anonymous), address (which are made anonymous), webpages visited, time and duration of visit and cookies (which is a text file that is stored on the computer of anyone visiting a website) and similar data generated by used cookies together with, where relevant, so-called pixeltags, through your use of our website, although no such data is linked to a specific person. How is personal data collected? Personal data is collected and created by cookies and pixeltags through your use of our website. In Setterwalls Cookie Policy, you are further informed about the cookies and data concerned. As mentioned in our cookie policy, you can set your browser so that cookies are not stored or so that approval is requested before a cookie is stored. In this way you can decide if you want to accept or reject each cookie. When you visit our website, you will via a pop-up window have the option to accept or reject cookies during your visit to our site; when you accept cookies, you consent in accordance with our cookie policy to our use of cookies in accordance with that policy. For which purposes and on which legal grounds may personal data be processed? Personal data may be processed for the purposes of analysing the use of our website and developing the site, respectively. Such processing is carried out on the basis of your above-mentioned consent, and on the basis of our legitimate interest to analyse the use of our website and to develop it, respectively. With whom may personal data be shared? Personal data will not be disclosed to any third parties, except that the personal data that is collected or generated by Google Analytics cookies (including your IP address) will be transmitted to and stored by Google on servers in the United States, and Google may disclose it to third parties if it is required by law or where such third parties process the information on Google s behalf; see Setterwalls Cookie Policy for more information about this. For how long is personal data stored? How long personal data is stored depends on by which cookie the relevant data has been collected; from being stored only as long as you have your browser open (so-called session cookies) to being stored for a maximum of 24 months, in accordance with what is specified for each cookie in Setterwalls Cookie Policy. SW283348/3 10

11 6. Personal data relating to other persons If you are, or are a contact person of, potential client, supplier or collaboration partner to us, we may collect, store and otherwise process personal data relating to you in accordance with this section 6. Who is data controller? Each office company is controller for the processing carried out by its staff relating to its potential client, supplier and collaboration partner relationships, and is simultaneously processor for Setterwalls and for the other office company/companies, which are covered by the potential client, supplier or collaboration partner relationship. What personal data may be processed? The personal data we may process comprises name, title, employer, contact details (such as address, address and telephone number), information on your contact persons with us, information on the specified areas of interest for newsletter and other mailings, information on participation in our seminars and events, as well as notes and summaries from meetings had with you (except in the context of an engagement). We do not process any sensitive personal data (i.e., information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or concerning health or sex life). In the context of an engagement, additional personal data may be processed in accordance with section 1. How is personal data collected? Personal data is provided to or gathered by us in connection with an engagement in accordance with section 1, or is provided to us by, or on behalf of, you, the client, supplier or collaboration partner, the potential client, supplier or collaboration partner, or someone who mediates contact between us, or is collected by us from such persons or from private or public records or other sources. For which purposes and on which legal grounds may personal data be processed? Personal data may be processed in accordance with section 1. Personal data may be processed for the purposes of, through you, establishing, maintaining and developing the relationship with you as potential client/supplier/collaboration partner, or contact person of a potential client/supplier/collaboration partner, and, if you have not objected against that, marketing our services (e.g., through invitations to seminars and events, newsletters and other mailings), respectively. Such processing is carried out on the basis of our legitimate interest to establish, maintain and develop relationships with our clients, suppliers and collaboration partners and to market our services, respectively. With whom may personal data be shares? Personal data may be shared with the other office companies, but will not be disclosed to any third parties. SW283348/3 11

12 For how long is the personal data stored? Personal data is stored in accordance with section 1 to the extent the data is part of an engagement. In addition, personal data may be stored until you object against that, at which point the data will be deleted. 7. Which rights do you have? You have the right to request and receive, free of charge, information from us regarding our use of personal data relating to you. You have the right to have incorrect personal data relating to you corrected by us without undue delay. In some cases you also have, having regard to the purposes of the processing, the right to complete incomplete personal data. Under certain circumstances, you have the right to request personal data relating to you to be deleted by us, for example where the personal data is no longer necessary for the purposes for which the data was collected, or if the personal data is processed in an unlawful manner. You have the right to request that we restrict the processing of personal data relating to you in some cases. If you for example object against the accuracy of personal data, you can require that we limit processing of such data during the time it takes for us to check its accuracy. You have the right to object against our processing of personal data relating to you on the basis of our legitimate interests. In case of such objection, we must demonstrate compelling legitimate grounds for such processing that outweighs your interests, rights and freedoms in order to continue the processing. You have the right to object against our processing of personal data relating to you for direct marketing purposes. In case of such objection, we will no longer process your personal data for such purposes. You have the right to withdraw your consent to the processing of personal data at any time. Such a withdrawal may be limited to a part of the processing. Under certain circumstances, you have the right to receive the personal data relating to you that you have provided to us in an electronic format widely used. You have the right to transmit such information to another data controller (data portability). If you have opinions on our processing of personal data relating to you, please contact us. You also have the right to submit a complaint to the Swedish Data Protection Authority (Sw. Datainspektionen) ( which is the supervisory authority in Sweden, or to the supervisory authority in the country where you live or work. SW283348/3 12

13 8. Language versions This policy is prepared in both a Swedish and an English language version. For data subjects domiciled in Sweden, the Swedish language version shall prevail. For all other data subjects, the English language version shall prevail. 9. Additions and alterations We may make additions or alterations to this policy. If we do, we will post the updated policy on our website and refer to it in our s and our mailings through our digital mailing/invitation system. In such a case, we ask you to carefully review the updated policy. 10. How can you contact us? Contact us at privacy@setterwalls.se or at address Setterwalls Advokatbyrå, P.O. Box 1050, SE Stockholm, Sweden, P.O. Box 11235, SE Göteborg, Sweden, or P.O. Box 4501, SE Malmö, Sweden, if you have questions about this policy or our processing of personal data, or otherwise want to exercise any of your rights related to our personal data processing. SW283348/3 13