Privacy Policy
1. The purpose of this policy
PUNCT Advokater P/S (“PUNCT”) processes personal data about you in several different situations. This happens, among other things, when we establish a client relationship and we provide advice, or if you otherwise are in contact with us, e.g., as a party or witness in a case, if you apply for a job with us, attend a course or visit our website.
Generally, we are obligated to inform you whenever we process your personal data. In some cases, however, we are prevented from complying with this obligation. This is namely in cases where we are obligated to maintain confidentiality and in situations where other interests considerably outweigh your right to be informed.
This privacy policy contains information about PUNCT’s processing of personal data. You can read more about below.
2. Data controller
The legal entity responsible for the processing of personal data at PUNCT (data controller) is:
PUNCT Advokater P/S
CVR: 43 73 82 16
Kampmannsgade 2
DK-1604 Copenhagen V
Denmark
We can be contacted regarding our processing of personal data at:
Email: ln@punct.dk
3. Processing of personal data
You can read more about how we process personal data below.
4. Processing security
As a law firm, PUNCT is obligated to protect the confidentiality, integrity and availability of our clients’ and other relations’ information, including personal data. PUNCT places a high priority on client confidentiality and information security, and we are strongly committed to ensuring continuous protection of information. We have implemented security measures to ensure the protection of client information, personal data, and other confidential information. We regularly conduct internal follow-ups to ensure adequate security and compliance with our policies.
5. Your rights as a data subject
As a data subject, you have several fundamental rights. However, these rights may be limited, e.g., if disclosure of information that you were otherwise entitled to receive would violate the rights of other persons or violate our duty of confidentiality as lawyers.
Withdrawal of consent
To the extent that our processing of your personal data is based on your consent, you can withdraw your consent at any time. However, the revocation does not affect the lawfulness of the processing we have carried out prior to the revocation. To withdraw your consent to our processing of your personal data, please contact us.
If you no longer wish to receive emails with information and marketing material from PUNCT, you can easily unsubscribe by replying to one of the received emails with “unsubscribe marketing” or, in the case of our newsletter, by clicking on “unsubscribe newsletter” in the most recently received newsletter.
Right to access
Generally, you have the right to know whether PUNCT is processing your personal data and, if so, what type of personal data we are processing and for what purpose. You also have the right to receive a copy of the data.
Right to rectification
You have the right to have incorrect or incomplete personal data corrected. If the information is disclosed to others, we ensure that the recipients are informed about the correction, provided this is possible and legal.
Right to erasure
You may have the right to have the personal data PUNCT processes about you deleted. If the information has been disclosed to others, we ensure that the recipients are informed of any changes, provided this is possible and legal.
Right to restriction of processing
You may have the right to have the processing of your personal data restricted so that the data can only be stored by PUNCT. If the personal data is disclosed to others, we will ensure that the recipients are informed of any restrictions, provided this is possible and legal.
Right to transmit personal data (“data portability”)
In certain cases, you have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format and to have the data transferred to another data controller.
Right to object to PUNCT’s processing
In certain cases, you have the right to object to our processing of your personal data.
6. Changes to this Privacy Policy
Transparency is an ongoing responsibility, and we therefore continuously update our privacy policy. The privacy policy was last updated on 3 January 2023.
7. Contact and complaint
If you wish to complain about PUNCT’s processing of your personal data, please send an e-mail with the details of your complaint to: ln@punct.dk. We will deal with the complaint and get back to you as soon as possible.
You also have the right to complain to the Danish Data Protection Agency:
The Danish Data Protection Agency
Carl Jacobsens Vej 35
DK-2500 Valby
Phone: 33193200
Email: dt@datatilsynet.dk
For further information on how to complain to the Danish Data Protection Agency, please refer to the Danish Data Protection Agency’s website: www.datatilsynet.dk.
Client relationship administration
Purpose
The purpose is to handle the client relationship, including conducting conflict checks, register the client and new cases, invoicing, as well as administering, managing, and developing our business and services, as well as handling the operation and maintenance of our systems.
Data subject
The client, including employees of the client.
Category of personal data
General personal data, including name, title, address, telephone number and email address, possibly employee number, our assistance and advice, as well as invoice information.
Legal basis
The processing is necessary to fulfil the contract with our client or to carry out measures at the clients’ request prior to entering the contract, cf. Article 6(1)(b) of the General Data Protection Regulation.
The processing is also necessary for us to comply with legal obligations, including requirements in section 10 of the Danish Accounting Act, to which PUNCT is subject, cf. Article 6(1)(c) of the General Data Protection Regulation.
Furthermore, the processing is necessary for us to pursue our legitimate interests in managing the client relationship, fulfilling the contract with our client, administering, and developing our business and services, and handling the operation and maintenance of IT systems used as part of our management of the client relationship, cf. Article 6(1)(f) of the General Data Protection Regulation. Please note that the data subject has the right to object to this at any time, cf. Article 21(4) of the General Data Protection Regulation.
Source
The client, including employees of the client.
Retention period
The personal data will be deleted after 11 years, counting from the end of the calendar year in which the client relationship is terminated, unless specific circumstances require a shorter or longer retention period.
Certain client data is deleted after 30 years, calculated from the end of the calendar year in which the client relationship is terminated to protect against conflicts of interest.
Categories of recipients
PUNCT is subject to a statutory obligation to maintain confidentiality and generally does not disclose personal data to third parties.
However, we disclose personal data to our client, counterparties, courts, and other public authorities if this is necessary for a legal claim to be established, exercised, or defended.
Furthermore, in some instances, we disclose personal data to our auditor and other professional advisors, e.g., for the auditor to carry out audits or for us to receive advice.
In addition, we use external suppliers, including IT suppliers, accountants, etc. who may be entrusted with personal data in connection with their assistance to us. PUNCT enters into data processing agreements with external suppliers who process personal data on behalf of PUNCT to ensure the necessary security.
We do not transfer personal data to countries outside the EU/EEA, unless such transfer is made to the client, counterparties, or courts. In these situations, we will ensure appropriate measures if the European Commission has deemed the third country in question not “safe”.
Client due diligence procedure
Purpose
The purpose is to carry out our client due diligence procedure.
Data subject
The client, including its owners and day-to-day management.
Category of personal data
General personal data that appears on, e.g., passport, driver’s license, or health insurance card, including name, address, place of birth, nationality, and civil registration number. We keep a copy of the documents presented, such as passports, driving licenses or health insurance cards.
Personal data about criminal convictions and offences where we suspect money laundering and/or terrorist financing.
Legal basis
We process the personal data as required by the Danish Act on Measures to Prevent Money Laundering and Financing of Terrorism (the Anti-Money Laundering Act), to which PUNCT is subject. We process the personal data in accordance with the “know your customer” procedures of the Anti-Money Laundering Act, cf. Sections 11-21, cf. Section 10, including Section 11(1)(1)(a), which is necessary to comply with a legal obligation to which PUNCT is subject, cf. Article 6(1)(c) and Article 87 of the General Data Protection Regulation, cf. Section 11(2)(1) of the Danish Data Protection Act.
If we process information about criminal convictions and offences, the processing takes place solely for the protection of a legitimate interest in complying with our obligations under the Anti-Money Laundering Act, cf. Article 10 of the General Data Protection Regulation, cf. Section 8(3) and (4) of the Danish Data Protection Act.
Source
The client, including its owners and day-to-day management as well as employees of the client.
Retention period
The data will be deleted within 5 years, counting from the time when the client relationship is terminated or when the individual case/transaction is closed, unless specific circumstances require a longer retention period.
Categories of recipients
PUNCT is subject to a statutory obligation to maintain confidentiality and generally does not disclose personal data to third parties.
However, we may be required to disclose personal data to public authorities. Where we suspect money laundering and terrorist financing that cannot be rebutted, we are obligated to report and disclose the information to the Anti-Money Laundering Secretariat at the Danish Special Crime Unit (NSK) and possibly other supervisors pursuant to Section 26 of the Anti-Money Laundering Act.
In certain cases, we will disclose personal data to our professional advisors to receive advice.
In addition, we use external suppliers, including IT suppliers, who may be entrusted with personal data in connection with their assistance to us. PUNCT enters into data processing agreements with external suppliers who process personal data on behalf of PUNCT to ensure the necessary security.
Providing legal assistance and advice
Purpose
The purpose is to provide legal assistance and advice to our client.
Data subject
The client, parties, partners, witnesses, and employees of these.
Category of personal data
General personal data, including name, title, organisation, address, email address, telephone number, other information provided by our client for us to provide our assistance and advice. If necessary for us to provide our services, we also process civil registration numbers.
Any special categories of personal data and personal data about criminal convictions and offences.
Generally, however, we do not wish to receive special categories of personal data and personal data about criminal convictions and legal offences and process them only where necessary to provide our assistance and advice.
Legal basis
We process personal data about our client that is necessary to be able to fulfil the contract with our client and provide our advice or to implement measures at the client’s request prior to entering into the contract, cf. Article 6(1)(b) of the General Data Protection Regulation.
We process personal data about counterparties, the employees of the client and counterparties, and witnesses, if it is necessary for PUNCT to pursue legitimate interests in managing the client’s interests, cf. Article 6(1)(f) of the General Data Protection Regulation. Please note that the data subject has the right to object to this at any time, cf. Article 21(4) of the General Data Protection Regulation.
We process (pass on) civil registration numbers to public authorities for purposes of making registrations on behalf of the client on virk.dk, tinglysning.dk or minretssag.dk, as required for unique identification, cf. Article 87 of the General Data Protection Regulation, cf. Section 11(2)(3) of the Danish Data Protection Act.
If we process special categories of personal data or personal data about criminal convictions and offences about the client, counterparties, the client’s and/or the counterparties’ employees, processing takes place only if it is necessary for a legal claim to be established, exercised, or defended, cf. Articles 6(1)(f) and 9(2)(f) of the General Data Protection Regulation.
Please note that the data subject has the right to object to this at any time, cf. Article 21(4) of the General Data Protection Regulation.
If we process information about criminal convictions and offences, the processing takes place solely for the protection of a legitimate interest in complying with our obligations under the Anti-Money Laundering Act, cf. Article 10 of the General Data Protection Regulation, cf. Section 8(3) and (4) of the Danish Data Protection Act.
Source
The client, parties, witnesses, business partners and their advisers or employees, and otherwise from publicly available sources.
Retention period
Generally, the data is deleted 10 years after the termination of the client relationship, calculated from the end of the calendar year in which the most recent case for the client in question has been closed, but in special cases there may be shorter or longer retention periods, including when having to comply with legal requirements for deletion or retention.
Categories of recipients
PUNCT is subject to a statutory obligation to maintain confidentiality and generally does not disclose personal data to third parties.
However, we disclose personal data to our client, counterparties, courts, and other public authorities if this is necessary for the establishment, exercise, or defense of legal claims.
Furthermore, in certain cases, we disclose personal data to our auditor and other professional advisors, e.g., so that the auditor can carry out an audit or so that we can receive advice.
In addition, we use external suppliers, including IT suppliers, accountants, etc., who may be entrusted with personal data in connection with their assistance to us. PUNCT enters into data processing agreements with external suppliers who process personal data on behalf of PUNCT to ensure the necessary security.
We do not transfer personal data to countries outside the EU/EEA, unless such transfer is made to the client, counterparties, or courts. In these situations, we will ensure appropriate measures if the European Commission has deemed the third country in question not “safe”.
Courses, networking, and similar events
Purpose
The purpose is to plan, hold and evaluate courses, networks, and similar events at PUNCT.
Data subject
The participant.
Category of personal data
General personal data, including name, title, email address, telephone number and organisation.
Legal basis
The processing of personal data in connection with registration for courses, networks, and similar events at PUNCT takes place for us to fulfil the contract with the participant or to implement measures at the participant’s request prior to entering into the contract, cf. Article 6(1)(b) of the General Data Protection Regulation.
The processing is necessary for us to pursue our legitimate interest in evaluating and administering courses, networks and similar events and to keep in touch with the participant, cf. Article 6(1)(f) of the General Data Protection Regulation. Please note that the data subject has the right to object to this at any time, cf. Article 21(4) of the General Data Protection Regulation.
Furthermore, the processing is necessary for us to comply with legal obligations, including requirements in the Danish Accounting Act, to which PUNCT is subject, cf. Article 6(1)(c) of the General Data Protection Regulation.
Source
The participant in question or the participant’s employer.
Retention period
The personal data is deleted after 2 years, calculated from the time of the course, networking or other event has been completed and evaluated, unless special circumstances require a shorter or longer retention period.
Categories of recipients
PUNCT is subject to a statutory obligation to maintain confidentiality and generally does not disclose personal data to third parties.
However, in certain cases, we disclose personal data to our auditor and other professional advisors, e.g., so that the auditor can carry out an audit or so that we can receive advice.
In addition, we use external suppliers, including IT suppliers, accountants, etc. who may be entrusted with personal data in connection with their assistance to us. PUNCT enters into data processing agreeements with external suppliers who process personal data on behalf of PUNCT to ensure the necessary security.
Marketing activities
Purpose
The purpose is to carry out marketing activities, including sending out newsletters, invitations to various events and other direct communication.
Data subject
The party with whom we have a business relation.
Category of personal data
General personal data, including name, title, email address, telephone number and organisation.
Legal basis
If we have previously been in contact with a party in one way or another, we assess that we have a legitimate interest in processing the party’s personal data to be able to maintain our relation and market our services, and make sure that our communication with the party is as relevant as possible, cf. Article 6(1)(f) of the General Data Protection Regulation. Please note that the data subject has the right to object to this at any time, cf. Article 21(4) of the General Data Protection Regulation.
Processing of personal data in connection with the registration of our newsletter takes place based on the consent of the party, cf. Article 6(1)(a) of the General Data Protection Regulation.
Source
The party in question or through publicly available sources, such as LinkedIn, Facebook, or the website of the party’s organisation.
Retention period
The personal data is deleted when the party in question asks us to stop contacting the party.
As for our newsletters, the personal data is deleted when the party withdraws his/her consent.
Categories of recipients
In some cases, we disclose personal data to our professional advisors for us to receive advice.
In addition, we use external suppliers, including IT suppliers, who may be entrusted with personal data in connection with their assistance to us. PUNCT enters into data processing agreements with external suppliers who process personal data on behalf of PUNCT to ensure the necessary security.
Visitors to our website
Purpose
The purpose is the administration of visitors to www.punct.dk.
Data subject
The visitor to our website.
Category of personal data
General personal data, including IP address.
Legal basis
We process the data to pursue legitimate interests in the functioning of our website, cf. Article 6(1)(f) of the General Data Protection Regulation.
Source
The visitor.
Categories of recipients
In some cases, we disclose personal data to our professional advisors for us to receive advice.
In addition, we use external suppliers, including IT suppliers, who may be entrusted with personal data in connection with their assistance to us. PUNCT enters into data processing agreements with external suppliers who process personal data on behalf of PUNCT to ensure the necessary security.
Recruitment
Purpose
The purpose is recruitment, including processing and assessing an applicant in relation to a current or future position at PUNCT.
Data subject
The applicant.
Category of personal data
General personal data, including name, address, telephone number and email address, educational background, work experience and other personal data provided by the applicant, as well as references.
Information about criminal offences, including criminal records, of the applicant being offered a position.
In certain cases, we process special categories of personal data, including diseases that will have a major impact on the applicant’s ability to fill a particular position.
Legal basis
The processing of general personal data is necessary for PUNCT to pursue legitimate interests in recruiting an applicant for a position at PUNCT, cf. Article 6(1)(f) of the General Data Protection Regulation. Please note that the data subject has the right to object to this at any time, Article 21(4) of the General Data Protection Regulation.
We process personal data collected from references provided that the applicant has consented to this, cf. Article 6(1)(a) of the General Data Protection Regulation.
We also process personal data that is clearly made public by the applicant, cf. Articles 9(2)(e) and 6(1)(f) of the General Data Protection Regulation. PUNCT pursues its legitimate interest in being able to recruit applicants for positions at PUNCT. Please note that the data subject has the right to object to this at any time, cf. Article 21(4) of the General Data Protection Regulation.
We process personal data on criminal records if it is necessary to safeguard a legitimate interest in ensuring that the applicant can hold the position at PUNCT that is to be filled, cf. Article 10 of the General Data Protection Regulation, cf. Section 8(3) of the Danish Data Protection Act. This is applicable, e.g., in relation to PUNCT’s compliance with Section 8 of the Anti-Money Laundering Act.
The processing of special categories of personal data is necessary for the purposes of meeting and respecting our or the applicant’s specific rights and obligations under labour law, including Section 2 of the Act on the Use of Health Data etc. on the Labour Market, cf. section 12(1) of the Danish Data Protection Act.
Source
The applicant and any references (if the applicant has given his/her consent) as well as information that is otherwise publicly available.
Retention period
Personal data about an applicant who is not offered a position will be deleted after 3 months, counting from the time when the applicant has received a rejection of his application, unless the applicant has consented to a longer retention period, or special circumstances require longer retention.
Information about applicants who are offered a position at PUNCT is transferred to the applicant’s personnel file.
Categories of recipients
In some cases, we disclose personal data to our professional advisers for us to receive advice.
In addition, we use external suppliers, including IT suppliers, who may be entrusted with personal data in connection with their assistance to us. PUNCT enters into data processing agreements with external suppliers who process personal data on behalf of PUNCT to ensure the necessary security.
Supplier administration
Purpose
The purpose is to manage supplier and business relations.
Data subject
The supplier or the business relation, including their employees.
Category of personal data
General personal data, including name, title, address, telephone number and email address. Regarding the employees of the supplier or business relation, we process name, title, email address and telephone number.
Legal basis
The processing is necessary to fulfil the contract with our supplier or business relation or to carry out measures at their request prior to the conclusion of the contract, cf. Article 6(1)(b) of the General Data Protection Regulation.
The processing is also necessary for us to comply with legal obligations, including requirements in the Danish Accounting Act, to which PUNCT is subject, cf. Article 6(1)(c) of the General Data Protection Regulation.
Furthermore, the processing is necessary for us to pursue our legitimate interest in managing the supplier or business relation and fulfilling the contract with our supplier or business relation, cf. Article 6(1)(f) of the General Data Protection Regulation. Please note that the data subject has the right to object to this at any time, cf. Article 21(4) of the General Data Protection Regulation.
Source
The supplier or business relation, including their employees.
Retention period
The personal data is deleted after 6 years, calculated from the end of the calendar year in which the contract with the supplier or business relation is terminated, unless special circumstances require a shorter or longer retention period.
Categories of recipients
We only disclose personal data to our auditors and other professional advisors, e.g., so that the auditor can carry out audits or so that we can receive advice.
In addition, we use external suppliers, including IT suppliers, accountants, etc. who may be entrusted with personal information in connection with their assistance to us. PUNCT enters into data processing agreements with external suppliers who process personal data on behalf of PUNCT to ensure the necessary security.