CLEMENS Advokatpartnerselskab

CVR no.: 32676561

St. Clemens Stræde 7

8000 Aarhus C

(hereinafter "we", "us" or "our") is the data controller for the processing of your personal data, as further described in this CLEMENS Privacy Policy.

If you have any questions about this policy or our processing of your personal data, you are always welcome to contact us at databeskyttelse@clemenslaw.com.

2. We process your personal data

We process personal data for various purposes, which you can read more about in the following.

We only process personal data if it is necessary to fulfill the purposes for which the personal data has been collected or if it is necessary to comply with our legal obligations.

2.1 Clients

In order to provide our legal services to you or your company, we may process the following personal data about you:

• General personal data, including name, telephone number, address, email address or other contact information, cf. Article 6(1)(b) or Article 6(1)(f) of the General Data Protection Regulation.

Depending on the nature of the case, it may be necessary to process additional personal data about you. This may be, for example:

• Confidential information, including e.g. civil registration number, information about assets, tax information or family relationships, cf. Article 6(1)(b), (c) or (f) of the General Data Protection Regulation and section 11(2) of the Danish Data Protection Act.
• Information about criminal convictions and offenses, cf. Article 6(1)(a), (b), (c) and (f) of the General Data Protection Regulation and section 8(3) and (4) of the Danish Data Protection Act.
• Sensitive data, including data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual life or orientation, cf. Article 6(1)(b) or (f) of the GDPR and Article 9(2)(a) or (f) of the GDPR.

If a specific processing activity requires consent, we always ask for your prior consent for the processing of this personal data.

We only disclose your personal data when it is necessary to provide our service to our clients or if it follows from a legal obligation incumbent on us as data controllers. We may, among other things, disclose your personal data to the following general categories of suppliers, business partners and data processors:

• Operational and software suppliers and other data processors
• Counterparties in legal proceedings or other out-of-court disputes
• Professional third parties, including e.g. real estate agents, banks, etc.
• Credit rating companies
• Public authorities
• Other subcontractors and partners

We retain your personal data for as long as necessary for the stated purposes. We generally store your personal data for up to 10 years after the end of a case and/or client relationship, unless we still have a legitimate purpose for storing the personal data.

2.2 Collection and storage of credentials for anti-money laundering obligations

If our assistance to you or your company is covered by the Danish Money Laundering Act, we process the following personal data about you to comply with our legal obligations under the Danish Money Laundering Act:

• CPR number, cf. Article 6(1)(c) of the General Data Protection Regulation and section 11(2) of the Danish Data Protection Act.
• Documentation of identity information (copy of passport or driver's license), cf. Article 6(1)(c) of the GDPR.

We only disclose your personal data when it is necessary to provide our service to our clients or if it follows from a legal obligation incumbent on us as data controller. Your personal data may therefore be disclosed to:

• Public authorities

• Operational and software suppliers and other data processors

We retain personal data collected to comply with our legal obligations under the Danish Anti-Money Laundering Act for five years after the client relationship has ended, unless we still have a legitimate purpose for retaining the personal data.

2.3 Counterparties

If you are a counterparty, representative or otherwise involved in our cases, we process the following personal data about you when it is necessary for us to process the case:

• General personal data, including e.g. name, contact information, position, relationship in the case and other general personal data, is processed to pursue our legitimate interests in providing assistance to our client, cf. Article 6(1)(f) of the GDPR. In certain cases, our processing is based on a legal obligation, cf. Article 6(1)(c) of the GDPR.

Depending on the nature of the case, it may be necessary to process additional personal data about you. This may be, for example:

• Confidential information, including e.g. civil registration number, information about assets, tax information or family relationships, cf. Article 6(1)(b), (c) or (f) of the General Data Protection Regulation and section 11(2) of the Danish Data Protection Act.
• Information about criminal offenses, cf. section 8(3) and (4) of the Danish Data Protection Act.
• Sensitive data, including data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual life or orientation, cf. Article 6(1)(c) and (f) of the GDPR and Article 9(2)(f) of the GDPR.

We only disclose your personal data when it is necessary to provide our service to our clients or if it follows from a legal obligation incumbent on us as data controllers. For example, we may disclose your personal data to the following general categories of suppliers, business partners and data processors:

• Operational and software suppliers and other data processors
• The client we represent in the case in question
• Counterparties in legal proceedings or other out-of-court disputes
• Professional third parties, including e.g. real estate agents, banks, etc.
• Credit rating companies
• Public authorities
• Other subcontractors and partners

We retain your personal data for as long as necessary in relation to the stated purposes. As a general rule, we store your personal data for ten years after the conclusion of a case and/or the end of the client relationship in which you are a counterparty, etc. unless we still have a legitimate purpose for storing the personal data.

2.4 Whistleblower reports

If you make a whistleblower report or are named in a whistleblower report made by a third party to a whistleblower scheme managed by us, we will process the personal data reported to the extent necessary to handle the report. The personal data includes e.g:

• General personal data, including e.g. name, job title, contact information, cf. section 22 of the Whistleblower Act and Article 6(1)(c) and (f) of the General Data Protection Regulation.
• Information about criminal offenses, cf. section 22 of the Danish Whistleblower Act and section 8(3) and (4) of the Danish Data Protection Act.
• Sensitive personal data, including information about racial or ethnic origin, political, religious or philosophical beliefs, trade union membership, health or sexual relations or orientation, cf. section 22 of the Whistleblower Act and Article 6(1)(c) and (f) of the General Data Protection Regulation and Article 9(2)(g) of the General Data Protection Regulation.

In the case of reports made to a voluntary whistleblower scheme (which is not required to be established pursuant to the Danish Whistleblower Act), the processing of the personal data provided is based on Article 6(1)(c) and (f) of the General Data Protection Regulation. If you have sent us sensitive data, these are processed pursuant to Article 9(2)(g) of the General Data Protection Regulation. If you have sent us information about criminal offenses, our processing is based on section 8(3) and (4) of the Danish Data Protection Act.

If you are a whistleblower and have made a report, we will only disclose information about your identity to your employer/company to which the whistleblower scheme is linked, if you have given your consent, or in very special cases to relevant authorities, e.g. if it is necessary in connection with a police investigation or legal proceedings. If we disclose your personal data to relevant authorities, this will only be done if we are legally obliged to do so, and you will be informed to the extent possible.

We retain your personal data for as long as necessary for the stated purposes. As a general rule, we store your personal data for up to ten years after the whistleblower case, unless we still have a legitimate purpose for storing the personal data. This may be the case, for example, if continued storage is required by other legislation or if there is reason to believe that the report can be strengthened by subsequent reports (linking).

2.5 Lawyer surveys

If we are engaged by a client to conduct a legal investigation in order to uncover and explain the scope and nature of specific issues, we may process the following personal data about you if you are involved in the investigation:

• General personal data when the processing is necessary to pursue the client's legitimate interest in uncovering relevant facts in the investigation, cf. Article 6(1)(f) of the GDPR.

Depending on the nature of the legal investigation, it may be necessary to process additional personal data about you. This may be, for example:

• Information about criminal offenses, cf. section 8(3) and (4) of the Danish Data Protection Act.
• Sensitive data, including data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual life or orientation, when the processing is necessary for the establishment, exercise or defense of legal claims, cf. Article 6(1)(f) of the GDPR and Article 9(2)(f) of the GDPR.

We only disclose your personal data when it is necessary to provide our service to our clients or if it follows from a legal obligation incumbent on us as data controller. For example, your personal data may be disclosed to:

• The client on whose behalf we conduct the legal research
• Public authorities
• Operational and software suppliers and other data processors

We store your personal data for as long as necessary in relation to the stated purposes. We generally store your personal data for up to ten years after the end of the case and/or client relationship, unless we still have a legitimate purpose for storing the personal data.

2.6 Recipients of newsletters

When you sign up for our news service, we process your personal data based on your consent to direct marketing. In this context, we process the following personal data about you:

• General personal data, including name and email address, cf. Article 6(1)(a) of the General Data Protection Regulation and section 10 of the Danish Marketing Practices Act.

To the extent necessary, we share your personal data with our software suppliers and business partners.

We process your personal data until you unsubscribe from receiving our newsletter. If continued storage of documentation of the consent is necessary in order to clarify whether there is or arises a dispute regarding your consent, we may store your personal data until this is clarified, cf. Article 17(3)(e) of the General Data Protection Regulation.

2.7 Users of our website

In order to manage, develop and administer our website(s), we process personal data about you if you consent to cookies.

You can read more about cookies in our cookie policy. Depending on which cookies you consent to, we may process the following personal data about you:

• General personal data such as IP address, which pages you visit on our website and other digital footprints. The processing is based on your consent, cf. Article 6(1)(a) of the General Data Protection Regulation.

To the extent you consent to third-party cookies, we will share your personal data with these third parties. You can read more about third-party cookies in our cookie policy. In addition, we may disclose your data to relevant suppliers and business partners, including, for example, software suppliers, marketing agencies and other data processors.

How long we process your personal data for these purposes depends on which cookies you consent to.

You can change your consent settings at any time or withdraw your consent and delete the cookies you have previously consented to by following the instructions in our cookie policy.

2.8 Job seekers

In order to process application material that we receive unsolicited or in connection with a job posting, we process the following general categories of personal data:

• General personal data that we receive from you in connection with your application, including, for example, name, contact information, job history, education, skills, photo, etc. cf. Article 6(1)(b) and Article 6(1)(f) of the General Data Protection Regulation.
• General personal data that we collect from publicly available media, including e.g. LinkedIn, Facebook, etc. cf. Article 6(1)(b) and Article 6(1)(f) of the GDPR.
• General personal data that we collect from your references or public authoritiesif you have consented to this, cf. Art. 6(1)(a) of the GDPR.

Depending on the personal data you have provided in your unsolicited application material, we consider your submission of the application material as your consent to the processing of this data in connection with the recruitment process. This could be, for example, the following categories of personal data:

• Confidential personal data, including e.g. civil registration number, cf. section 11(2)(2)(2) of the Danish Data Protection Act.
• Information about criminal convictions and offenses, cf. section 8(3) and (4) of the Data Protection Act.
• Sensitive personal data, including information about racial or ethnic origin, political, religious or philosophical beliefs, trade union membership, health or sexual relations or orientation, cf. Article 6(1)(a) and (f) of the GDPR and Article 9(2)(a) of the GDPR.

To the extent necessary to complete the recruitment process, we may disclose your personal data to recruitment consultants, software suppliers or other data processors.

We will keep your application material until the recruitment period has ended (invited applications). In some cases, we ask for your consent to store your application for a period of 6-12 months (invited and unsolicited applications). If you give your consent in such cases, we will store your application for the period you have consented to.

In special circumstances, we may store your personal data for a longer period of time if we deem it necessary to defend ourselves against a possible legal claim, cf. Article 6(1)(c) of the GDPR.

2.9 Other people and processing activities

In order to manage our business operations, we process the following general categories of personal data about contact persons at our business partners and suppliers:

• General personal data such as name, contact information and other CRM-related personal data, cf. Article 6(1)(f) and Article 6(1)(c) of the GDPR.

To the extent necessary for the operation of the business, we disclose such personal data to business partners, suppliers, etc. including, for example, software suppliers, freight companies and auditors.

As a general rule, we store the above-mentioned personal data for as long as the customer relationship or collaboration continues, or until the contact person in question is no longer employed by our supplier, customer, etc. Personal data registered in connection with sales, delivery, invoicing, etc. is stored for five years after the end of the relevant financial year in accordance with the Danish Bookkeeping Act.

If you have participated in a course or similar with us, we process the following categories of personal data because it is necessary to pursue your and our legitimate interests in the course:

• General personal data, including e.g. name, contact information and position, cf. Article 6(1)(f) of the GDPR.

To the extent necessary, we share your personal data with our software suppliers and business partners.

Your personal data will be stored for three years, unless circumstances specifically require longer storage.

In connection with events, etc. we may in special cases take situational photos in order to publish these on our website and social media, whereby we process the following categories of personal data:

• General personal data, including mood images, cf. Article 6(1)(f) of the General Data Protection Regulation.

In this regard, we make every effort to ensure that the people in the photos do not feel exposed or offended.

If we publish such situational images of you, you have the right to object, and in such cases we will always do what we can to remove the images/postings. You can object by contacting us at the contact information mentioned in section 1.

In the case of portrait-like images, we will of course ask for permission to take the photo in the specific situation. In such situations, the processing and publication of the images will instead be based on your consent, cf. Article 6(1)(a) of the General Data Protection Regulation.

If the processing and publication of the material requires your consent, we will ask for your consent to the processing of such data at the time of collection.

We may disclose the personal data to the following recipients:

• LinkedIn
• Software providers and other data processors

We process and publish image and video material for five years. However, the retention period may be shorter in specific cases, e.g. in connection with the withdrawal of consent or as a result of us meeting an objection to the processing of the images.

3. If you wish to withdraw your consent

If we process your personal data on the basis of your consent, you can withdraw your consent at any time by contacting us as stated above in section 1 or following the instructions on our website, in newsletters, etc.

If you withdraw your consent, please note that this does not affect the lawfulness of our processing up to the time of withdrawal, and that in special cases we may be entitled to continue processing your personal data, e.g. to defend ourselves against a possible legal claim.

4 Transfer of personal data to third countries

To the extent necessary to comply with the purposes of processing your personal data, we may transfer personal data to international organizations or companies established in countries outside the EU/EEA. We will only make such transfers if we have an adequate legal basis for doing so, including e.g:

• If the EU Commission has assessed that the security in the third country in question is adequate in accordance with Article 45 of the GDPR,
• If there are otherwise adequate guarantees for security, including, for example, by entering into the EU Commission's standard contracts in accordance with Article 46 of the General Data Protection Regulation, or
• If one or more of the exemptions in Article 49 of the GDPR apply.

5 Your rights

When we process your personal data, you have the following rights towards us. If you wish to exercise these rights, you are always welcome to contact us as described above in section 1.

• Access. You have the right to access and obtain a copy of the personal data we process about you.
• Rectification. If we have registered incorrect personal data about you, you generally have the right to have such incorrect personal data about you corrected.
• Erasure. In special cases, you have the right to have the personal data we process about you erased.
• Restriction of processing. In special cases, you have the right to have the processing of your personal data restricted to storage.
• Objection. In special cases, you have the right to object to our processing of your personal data.
• Data portability. In special cases, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to have this personal data transferred from one data controller to another without hindrance.

You can read more about your rights on the Danish Data Protection Agency's website: www.datatilsynet.dk.

6 Complaints

You have the right to file a complaint with the Danish Data Protection Agency if you are dissatisfied with the way we process your personal data. However, we hope that you will always contact us first so that we can find a reasonable solution. You can find the Danish Data Protection Agency's contact information and complaint guidelines at www.datatilsynet.dk.