decode law, company reg. no. (CVR): 44907062, processes personal data about you as a physical person for different purposes depending on the context. In this respect, we are considered data controller since we determine the purpose and means of the processing.
If you have any questions or wish to exercise your rights (see further below), you can contact us at mb@decodelaw.dk.
As of this moment, since we have not yet established a newsletter and currently have no intention of gathering behavior data through our website, the contexts where we process personal data are the following:
Which data do we process, for what purpose and on which legal basis?
Clients: Identification and contact information of the client and any other personal data relevant to the case for the purpose of carrying out the necessary know-your-client checks and to handle and solve the case best possible. When handling cases referred to us by our international business partners, we have received your personal data from them. The processing is carried out on the basis of either Article 6(1)(b) GDPR if the person with whom correspondence is carried out is the client, i.e. a physical person, if the person acts as a sole proprietorship or as part of a smaller partnership (in each case the person is closely linked to the company) or Article 6(1)(f) if the person with whom correspondence is carried out is employed with a company (e.g. ApS, A/S, Inc., Ltd. etc) and acts on its behalf. As for the latter situation, the processing is necessary for maintaining the client relationship and to solve the case, and the rights and freedoms of the data subjects is not outweighed by our legitimate interests. Furthermore, we are obliged to store bookkeeping material upon which names and contact information on our clients (or contact persons at clients) may figure for 5 years after the relevant financial year wherein the expense was bookkept, under section 10 of the Danish Bookkeeping Act, which is thus a processing based on Article 6(1)(c) GDPR.
Potential clients: Identification and contact information of the potential client for the purpose of establishing new client relationships. The data is processed because it is our legitimate interest in marketing our services and because this interest is not outweighed by the rights and freedoms of the person in question because the information gathered is of non-invasive character and is often publicly available, in accordance with Article 6(1)(f) GDPR and its preamble 47.
Other case-related parties: Identification and contact information on the relevant individual which is not the client, for instance opposing parties, their attorneys and advisors, and any other personal data about such individuals which is relevant to the case. The data is processed in order to handle and solve the case best possible. The processing is based on either Article 6(1)(b) or 6(1)(f) depending on which capacity the person is acting in.
Storage period
Personal data processed as part of assisting our clients are normally deleted or anonymised five years after the case has been closed. However, in some cases the storage period will be ten years, namely if there is a risk that the client will direct a claim against us for wrongful advice or other misconduct for which we may be liable. Retention may be even longer if an agreement or court or public authority decision has been taken/concluded that includes rights or obligations in effect for longer than five/ten years.
Personal data on potential clients will be deleted or anonymised if there has been no communication or activity with the relevant person for a period of one year.
Recipients and transfer of data to third countries
If necessary for the case, we may disclose certain information to public authorities relevant to the case, e.g. the Danish Patent and Trademark Office, appeals and complaints bodies such as the Danish Board of Appeals for Patents and Trademarks, the courts of law, etc.
We use Microsoft Outlook as our e-mail software on an Exchange server hosted within the EU. Microsoft Ireland Operations Ltd. provides the software and is under control by its parent company, Microsoft Corporation, located in the United States. There is therefore a risk of transfer of personal data to third countries, however, since Microsoft Corporation is certified under the EU-U.S. Data Privacy Framework, it is our assessment that the eventual transfer of personal data from Microsoft Ireland Operations to Microsoft Corporation ensures an adequate level of protection compared to that of the EU in accordance with Article 45(1) GDPR.
Which data do we process, for what purpose and on which legal basis?
Identification and contact information, information provided in applications, CVs and related documents, e.g. diplomas, and other personal data relevant to the assessment of a candidate, to the extent the job applicant has transmitted the material to us or necessary for evaluation for the job in question. The processing is carried out on the basis of Article 6(1)(b) GDPR since it is necessary in order to take steps at the request of the data subject prior to entering into an employment contract with that person.
Storage period
Personal data received in connection with speculative applications are erased after review of the application if the candidate is not relevant for a current or soon upcoming relevant job opening unless consent is obtained for longer storage.
Personal data received in connection with applications for advertised jobs are deleted after the final stage of the recruitment process unless the candidate is relevant for a current or soon upcoming relevant job opening or unless consent is obtained for longer storage.
Recipients and transfer of data to third countries
We receive job applications and application material through email, i.e. Outlook. Read more about potential transfers to Microsoft Corporation in the U.S. under the same subsection of the description of our processing activities in relation to cases/client communication (1).
Which data do we process, for what purpose and on which legal basis?
Identification and contact information on the relevant individual for the purpose of purchasing goods and services in the day-to-day course of business or to establish or maintain business relations or similar. The processing is based on either Article 6(1)(b) or 6(1)(f) depending on which capacity the person is acting in.
Storage period
Personal data on suppliers in relation to the purchase of goods and services figuring on invoices are kept for 5 years for the purpose of section 10 of the Danish Bookkeeping Act. Otherwise personal data processed for the same purpose, for instance correspondence with, is deleted or anonymised continuously, but sometimes only after three years or longer if necessary to exercise or defend legal claims which are limited to three years or more.
As for business partners, contact information is kept unless there has been no contact for a continuous period of one year between decode law and the business partner in question.
Recipients and transfer of data to third countries
Read more about potential transfers to Microsoft Corporation in the U.S. in connection with email correspondence under the same subsection of the description of our processing activities in relation to cases/client communication (1).
Access. You have the right to obtain access to the personal data we process about you as well as to certain information on how the processing takes place.
Rectification. You have the right to request rectification of inaccurate personal data concerning you and to have incomplete personal data about you completed.
Erasure. Under certain circumstances, see article 17 of the GDPR, you have the right to have personal data concerning you erased. For example, if the data are no longer necessary for meeting our obligations and exercising our rights, or if the data are processed on the basis of your consent and you withdraw your consent.
Restriction. In the circumstances referred to in article 18 of the GDPR, you have the right to request restriction of processing of your personal data, e.g. if the accuracy of the data is contested, for a period enabling us to verify the accuracy of the personal data, or if we no longer need the personal data for the purposes of the processing, but they are required for the establishment, exercise or defence of legal claims.
Objection. On grounds relating to your particular situation, you have the right to object to our processing of personal data based on article 6(1)(f) of the GDPR (the balancing of interests). You may, however, at any time (i.e. not only on grounds relating to your particular situation) object if the personal data are processed for direct marketing purposes (e.g. in connection with newsletters).
Data portability. If the processing is based on your consent or on a contract, you have the right to receive the data in a commonly used and readable format, and you have the right to transmit those data to another data controller. We will transmit the data directly to such other controller if you request us to do so and if technically feasible.
Automated decision-making. You have the right not to be subject to a decision solely based on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. If you suspect such a decision to have taken place, do reach out to us.
Right to lodge a complaint. You can complain about the processing at any time by contacting us. Furthermore, you always have the right to lodge a complaint with the Danish Data Agency (datatilsynet.dk, dt@datatilsynet.dk, +45 33 19 32 00), or the supervisory authority in the country in which your reside or in the country in which you believe that the processing of personal data in violation with the GDPR or the Danish Data Protection Act took place.
Change log
| Date | Change |
|---|---|
| 25 June 2024 | v1.0 |