Privacy policy

This privacy policy, version 29 August 2025, applies to the processing of personal data by Sandanger Advokatfirma DA, reg. no. 993 489 735, as data controller. We ensure that personal data is processed in accordance with applicable data protection legislation.

In the privacy policy you will find information about the purpose of the processing, how we use and protect your personal data, and what rights you have. Personal data is all information that can be linked to you as a person.

We process personal data in connection with legal services to organisations and private individuals.  All processing takes place in accordance with applicable data protection regulations, including the Personal Data Act and GDPR.

“Personal data” means all information that can be linked to a natural person (the latter is referred to as “registered”).

“Processing” means everything that is done with personal data, such as collection, registration, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, alignment or combination, restriction, erasure or destruction.

2.1 Who we process personal data about

In connection with our business, we process personal data about (i) private clients and private individuals in connection with the cases we handle, (ii) contact persons at business clients, as well as (iii) contact persons at our suppliers, at business partners, at counterparties’ legal advisers and other advisers related to the cases.

2.2 Establishment of client relationships

We carry out independence checks before accepting assignments in order to comply with the rules of good legal practice. The legal basis is GDPR Articles 6(1)(c) and 6(1)(f).

Providing us with personal data is voluntary, but it will be necessary to provide us with the information in order for us to assess whether we can take on the assignment.

We register contact information (name, telephone, e-mail). Basis: GDPR Article 6(1)(f) for corporate clients, Article 6(1)(b) for private clients.

2.3 Case management
When we carry out legal assignments, we normally process personal data about the client and other relevant persons. This may, for example, include employees and owners of the client’s business, the opposing party, witnesses, the opposing party’s lawyer and other persons affected by the case. Such information can be found in documents, correspondence and other communication that we receive or prepare in connection with the case. For private clients, the basis for processing is normally GDPR Article 6(1)(b) (agreement with client). In some cases, we may exceptionally have access to sensitive personal data. The processing of such sensitive data is based on section 11 of the Personal Data Act, cf. GDPR article 9(2)(f) (legal claims). The processing of personal data in connection with business clients is based on GDPR Article 6(1)(f) (balancing of interests), specifically our interest in providing services to our clients.

2.4 Archiving of personal data
We archive case documents and correspondence, etc. with personal data after the assignment has been finalised. Subsequent retention of case documents is done because the clients expect it and because experience has shown that there may be a need for them, for example in connection with questions about the assistance and in the event of legal proceedings. The processing of personal data in connection with archiving is based on Article 6(1)(f) of the GDPR, the balancing of interests and our interest in fulfilling clients’ expectations and needs. Where the cases contain sensitive personal data, the processing is based on section 11 of the Personal Data Act, cf. GDPR article 9(2)(f).

2.5 Invoicing and debt collection
Timekeeping, disbursements and incurred case-related costs are registered in our case management and accounting system together with contact information used for invoicing. For private clients, the processing is based on GDPR Article 6(1)(b) (contract), and for business clients it is based on GDPR Article 6(1)(f) (balancing of interests). Any further follow-up of invoicing after completion of the assignment is based on GDPR Article 6(1)(f), our interest in collecting any outstanding receivables.

2.6 Suppliers and business partners
In connection with our legal services, we register information about suppliers and business partners. We register contact information, primarily contact persons’ names, telephone numbers and e-mail addresses. The processing is based on the balancing of interests, GDPR Article 6(1)(f), our interest in managing the relationship with our suppliers and business partners.

2.7 Other processing
We may also process personal data for purposes that are not incompatible with the original purpose for which they were collected. This applies, for example, to bookkeeping purposes and the use of information that may be required if we as a law firm become involved in legal proceedings, an acquisition or other process. In such cases, the basis for processing is GDPR Article 6(4).

2.8 Marketing
We may send newsletters to clients and contact persons at our clients that we have assisted during the last three years, as well as to others who have expressly requested to receive them. Such mailings to clients and contacts are based on the balancing of interests, GDPR Article 6(1)(f), and our interest in following up clients with news and relevant information about our services. For mailings to others, the basis for processing is GDPR Article 6(1)(a) (consent). All recipients can easily unsubscribe by using the link at the bottom of each email.

2.9 Sharing of personal data
Lawyers have a statutory, penalty-sanctioned duty of confidentiality.

We share personal data with legal authorities, counterparties and others (advisers, experts, insurance companies, etc.) where this is necessary to fulfil the assignment.

IT suppliers only have the necessary access. We have data processing agreements with all suppliers.

We do not disclose personal data unless the client requests it or it is required by law.

2.10 Retention and storage period
We store personal data for as long as it is necessary to fulfil the purposes described here in the privacy policy, and with the following storage period:

• Case information is stored for 10 years.
• Invoice information is stored for 5 years.
• Information about clients’ contact persons is stored for 5 years after the client relationship has ended.
• The names and email addresses of those who have consented to receive newsletters are stored until the consent is withdrawn.

2.11 Security measures
We have implemented a number of technical and organisational security measures in order to handle personal data in a sufficiently secure manner. We carry out regular assessments of the security of systems used to handle personal data, and agreements have been entered into that require suppliers of such systems to ensure satisfactory information security.

Procedures have been established for handling breaches of information security (data breaches), and in the event of a breach that poses a risk to the privacy of the personal data concerned, we will send a non-conformity report to the Norwegian Data Protection Authority as soon as possible and no later than 72 hours after the breach was discovered. If the breach has a high probability of jeopardising the privacy of those to whom the breach relates, we will also notify them.

2.12 Transfer of personal data abroad
Where disclosure, as described in the section on sharing of personal data, involves transfer out of the EEA, we take measures to protect the personal data. This involves entering into an agreement based on the EU Standard Contractual Clauses with the recipient or through other statutory measures.

3.1 Information, access, rectification and erasure
All individuals have the right to information about our processing of their personal data. This follows from the Personal Data Act with further reference to GDPR. The rights are described below. Please contact us if you wish to exercise your rights. We will respond to your enquiry as soon as possible, and within one month at the latest.

As a client, you have the right to access your personal data and information about why and how it is processed. We cannot provide access to other persons due to a statutory duty of confidentiality. You also have the right to demand that we correct erroneous information and to ask us to delete personal data about you. However, we will not correct information that we believe to be correct, and we will not delete information if we have the right to continued processing, cf. the description above. You have the right to ask us to restrict the processing of your personal data, even if you do not want us to delete it. You also have the right to have your personal data transferred (data portability) in a common, machine-readable format. This only applies to personal data that you have provided to us and where we process it on the basis of your consent or an agreement we have with you. This is therefore rarely applicable. You also have the right to object to the processing of your personal data if your particular situation so requires. You can also object to us using information about you for marketing purposes, which you can do by clicking on the unsubscribe link at the bottom of each email or by notifying us in some other way.

3.2 Right to complain
If you disagree with our processing of your personal data or the way we process your personal data, you can submit a complaint to the Norwegian Data Protection Authority. In such cases, we ask you to contact us first so that we can assess what you are dissatisfied with and correct any errors.

4.1 Changes
We will update the privacy policy as necessary. You will be notified if we make significant changes. The latest and current version of the privacy policy will always be available on our website.

4.2 Cookies
When you visit our website, we use cookies. You can find more information about this in our information on the use of cookies.

4.3 Contact information
Please feel free to contact lawyer Hogne Sandanger on telephone number +47 93 46 45 18 or e-mail address hs@sandco.no if you have any questions, comments or wish to exercise your rights.