Privacy Notice


Last modified: Feb 27, 2019

This privacy notice applies to Wahl-Larsen Advokatfirma AS. We are the data controller responsible for the processing of personal data as described in this privacy notice. You can find our contact information on the first page of the letter of confirmation.

Who we process personal data about:

This privacy notice is aimed at our processing of personal data about the following persons:

  • Individuals
  • Clients in criminal cases
  • Contacts at business clients
  • Contacts at our suppliers and business partners
  • People involved in matters where we assist
  • Other persons mentioned in case documents we gain access to
  • Visitors to our website

Purposes, types of personal data and legal basis:

Below we have provided an overview of the purposes for which we process personal data, the type of personal data we process and the legal basis for the processing.

Establishment of client relationships

When a client requesting us to take a case contacts us, we can conduct conflict checks before taking on the case. A conflict check serves a legitimate purpose and is provided for in the GDPR article 6 paragraph 1 letter f (weighting of interests). A conflict check of an individual usually includes full name, the facts of the case and, if relevant, creditworthiness. A conflict check on the behalf of business clients will usually not involve the processing of personal data.

In connection with the establishment of a client relationship, we conduct a customer control in accordance with the Norwegian Money Laundering Act. Customer control is required to fulfill our legal obligations in accordence with GDPR Article 6 paragraph 1 letter c.

If we accept the case, contact information is registered. The registration is necessary to enter an agreement with the individual concerned cf. GDPR article 6 paragraph 1 letter b. For business clients, the registration of contact information is a weighting of interests, cf. Article 6 paragraph 1 letter f.

Case management:

Some cases involves access to personal data about parties or other individuals affected by the case. Such data may appear in the documents the client shares or other correspondence in the case. The processing of personal data in cases of business clients has its legal basis in GDPR article 6 paragraph 1 letter f (weighting of interests). In some cases, we also get access to sensitive personal data, for example health information or criminal convictions and offenses. In such cases, the processing of data is provided for in the GDPR article 9 paragraph 2 letter f (processing is necessary for the establishment, exercise or defence of legal claims) cf. the Norwegian Privacy Data Act § 11 (15.05.2018).

Knowledge management:

The basis for processing is our interest in utilizing prepared knowledge in further counseling: cf. GDPR Article 6, paragraph 1, letter f (interest settlement).

Client Management:

Separate case folders are created for assignments performed on behalf of the client. Time and costs incurred are registered in our accounting system. For business customers, what we do is in conjunction with client management pursuant to GDPR Article 6. 1 letter f (balancing of interests), whereas for private customers, it is considered a necessary part of fulfilling the agreement with the person concerned, GDPR article 6.1 letter b.

Storage and safekeeping of case documents:

We normally store case documents for 5 years after the assignment is completed Storage in the specified time period is considered necessary in the interests both of the client and for our own sake, since questions or disputes may subsequently arise in which the information stored on a matter may again come into question. The legal basis for processing of personal data is

GDPR Article 6, paragraph 1, letter f (balancing of interests, cf. the legitimate interest indicated above) and GDPR Article 9, paragraph 2, letter f (determine, enforce or defend legal requirements), cf. the Personal Data Act (new 2018) § 11.


Contact information received from business customers is used to mark the invoice sent to the business upon the client's requests. For residential customers, the person's private address or entered email address is used for sending invoices. The processing basis is

GDPR Article 6, No. 1, letter f (balancing of interests) for business customers and

GDPR Article 6, paragraph 1, letter b (required to fulfill the agreement with the registered) for private customers.

IT operation and security:

Personal data stored in our IT systems may be available to us or to our suppliers in connection with system updates, implementation or follow-up of security measures, correction or other maintenance. The basis for processing is GDPR Article 6, No. 1 f (balancing of interests, cf. our legitimate interest in the above activities) and our legal obligation to have satisfactory information security, cf. GDPR Articles 32 and 6, No. 1, letter c.


We may send out newsletters to e-mail addresses registered on clients we continuously provide legal services to and others who have requested to receive our newsletter. Recipients of the newsletter can easily stop the service by using the link included in each inquiry. The processing basis is

GDPR Article 6. 1 letter f (balancing of interests) where we have received your e-mail address in connection with a legal assignment. If there is an existing customer relationship, the marketing will take place in accordance with Section 15 (3) of the Marketing Act. In other contexts, marketing is based on the consent of the person concerned, cf. section 15 (1) of the Marketing Act and Article 6 (1a) of the GDPR.

Who we share personal data with:

Our IT service providers may have access to personal data if personal data is stored at the supplier or otherwise available to the supplier under their contract with us. Suppliers act in accordance with the data processing agreement and under our instructions. The provider may only use the personal data for the purposes which we have determined and as described in this Policy.

Attorneys are subject to a sanctioned duty of confidentiality pursuant to section 111 of the Criminal Code. All information entrusted to us in connection with an assignment is handled confidentially.

We will not disclose personal data under other circumstances or in other ways than those described in this privacy policy unless the client explicitly encourages or agrees, or disclosure is required by law.

Storing personal data:

We usually save case documents for 5 years.

Accounting legislation otherwise requires us to store specific accounting documents for a specified period. When a particular purpose dictates storage for a given period, we ensure that the personal data is used solely for that purpose during that time.

Your rights:

You have rights to the personal data that concerns you. What your rights are depends on the circumstances.

Withdrawing consent:

If you have consented to receive our newsletter, you may withdraw this consent at any time. We have made it possible for you to easily reserve yourself against this type of inquiry by including a link to the unsubscribe form in each inquiry. If you have consented to any other processing of personal data, you may also withdraw your consent at any time by directing a request to us.

Request access:

You have the right to access the personal data we have we have registered about you, as far as non-confidentiality is concerned. To ensure that personal data is disclosed to the right person, we may require a request for access in writing or that identity is verified by other means.

Request correction or deletion:

You may request us to correct incorrect data we have about you or ask us to delete personal data. We will, as far as possible, accommodate requests to delete personal data, but we can not do it if there are compelling reasons not to delete, for instance, we may need to save the data for documentation purposes.

Data portability:

In some cases, you could be entitled to repatriate personal information you have provided to us to get those transferred in a computerized format to you or any third party. If technically possible, in some cases it will be possible to have these transferred directly to the third party.

Appeals to the supervisory authority:

If you disagree with the way we treat your personal data, you may submit a complaint to the Data Inspectorate.


We have established procedures to handle personal data in a secure manner. The measures are of a technical and organizational nature. We carry out regular assessments of the security of all key systems used for managing personal data and have entered into agreements which oblige suppliers of such systems to provide satisfactory information security.

Access to personal data (and client / case information) is limited to personnel who need access to perform their duties.

We have adopted internal IT guidelines, and we regularly train staff with regard to security and the use of IT systems.

Changes in privacy statement:

We may make minor changes to this privacy statement.

Contact us:

If you have any questions or comments about our privacy statement or you would like to exercise your rights, please contact us.