Org.nr: 981 472 470

Last updated: 21.11.2022


1. Applicability of this privacy policy  

The privacy policy concerns personal data processed by ECIT Law Advokater AS (hereafter referred to as «ECIT Law», «we» or «us»). We are the data controller for the processing of personal data as described in this privacy policy. The policy is intended to inform you as a client/collaborative partner about how we process your personal data, and the purpose of the processing.

ECIT Law offers a variety of legal services, and the term «case» used in this policy must therefore be understood broadly unless otherwise is stated, so that it covers all our undertaken assignments related to our operations, rather it be consultation, document- and contract revision, trials, or other legal counseling.

 Our contact information can be found below.

 2. Who we process data about

This privacy policy applies to our processing of personal data with respect to legal practice.

 We process personal about:

-       our customers; including private customers, private persons and contact persons from our corporate customers;

-       personal data about individuals in a case (including, counterparties, suppliers, collaborative partners) or other individuals involved or affected by a case we assist in

-       other persons that are mentioned in case documents we get access to;

-       data about our employees;

-       data about our partners;

-       visitors to our website;


3. Purpose, types of personal data and legal ground

An overview of the purposes behind the processing of personal data, the types of personal data we process and the legal ground for the processing, can be found below.


Establishing a client relationship and administration of the client relationship: Upon contact by a client requesting us to take on an assignment, we will conduct a conflict assessment before accepting the assignment. This conflict assessment is performed based on a legitimate interest and serves a legitimate purpose. The legal ground for this is GDPR article 6 nr. 1 letter f, cf. also The Norwegian Courts of Justice Act Section 224, cf. the legal practitioner regulations chapter 12.

 The described conflict assessment will for private customers typically include processing of full name, what the case regards and if relevant to the case, credit rating.

 A conflict assessment on behalf of corporate customers will generally not include any processing of personal data.

  With regards to establishing a new client relationship, we will perform customer due diligence in accordance with The Norwegian Money Laundering Act, and the belonging regulation.

 Customer due diligence normally consists of:

-       registering certain data in accordance with The Norwegian Money Laundering Act sections 12 and 13, cf. also sections 17 and 18.

-       verify the identity of the client and beneficial owners (if any).

-       as well as collect data about the purpose and intended type of client relationship.


Customer due diligence is required for us to fulfill our legal obligations in accordance with The Norwegian Money Laundering Act sections 4, 7, 8, 12, 13, 17, 18 and the belonging money laundering regulation section 4, cf. GDPR article 6 nr. 1 letter c.


The following contact information will be registered for private customers and corporate customers, if we agree to take on the assignment:

-       Full name of contact person(s), representatives, and owners with the customer

-       Date of birth and D-number (for private customers)

-       Phone number of contact person(s), representatives, and owners with the customer.

-       Email-address of contact person(s), representatives, and owners with the customer

-       Mailing address of the customer.


Registration of contact information is for private customers needed to enter a legally binding agreement with the concerned, cf. GDPR article 6 nr. 1 letter b. For corporate customers, the registration of contact information for individuals is based on a legitimate interest, cf. GDPR article 6 nr. 1 letter f.


Case management: Some legal assignments may provide us access to personal data about parties or other individuals that are affected by a case. This sort of data can emerge from documents submitted by the client or from correspondence in the case. The processing of personal data with respect to assignments for corporate customers have legal grounds in GDPR article 6 nr. 1 letter f, a legitimate interest. Processing of personal data with respect to assignments for private customers is based in GDPR article 6 nr. 1 letter b, the processing is necessary to fulfill an agreement whom the registered is a part of.

 Additionally, some cases will provide us access to sensitive information, e.g., health information or criminal convictions and offenses. In those cases, processing of the data is based in GDPR article 9 nr. 2 letter f (processing is necessary to assess, assert or defend a legal claim), cf. The Norwegian Personal Data Act (new in 2018) section 11.


 Knowledge Management: Documents are often prepared for our clients when we work on an assignment. Occasionally we chose to transform those documents to templates that can be applied in future cases. The templates and models are anonymous and will not contain any personal data. The legal ground for our processing is our interest in utilizing prepared knowledge in further counseling, cf. GDPR article 6 nr. 1 letter f, a legitimate interest.


Client administration: Separate casefiles are created for assignments performed on behalf of the client. Accrued hours and expenses for the specific case will be registered in our accounting system. An internal overview of cases and tasks for customers can be found in  a project tool used for internal purposes. Our procedures related to client administration with respect to corporate customers have legal grounds in GDPR article 6 nr. 1 letter f, a legitimate interests, while it for private customers is considered a necessary element to fulfill the agreement with the concerned, cf. GDPR article 6 nr. 1 letter b.


Storing and retaining case document: Case documents are retained for 10 years after a completed assignment, unless the client proposes the case documents be retained for a shorter or longer time. Once the case is completed in our case management system, case documents will be transferred to our archive system and are retained in a secure/safe manner in a separate locked system. Storage for the given time (10 years) is considered necessary with respect to both the client and us, due to later questions or legal disputes that may arise, in which the archived information regarding a previous case may be of relevance. The legal grounds for the processing of personal data are GDPR article 6 nr. 1 letter f, a legitimate interests, cf. the legitimate interest stated above and GDPR article 9 nr. 2 letter f (assess, assert, or defend a legal claim), cf. The Personal Data Act (new in 2018) section 11.


Invoicing: Contact information provided to us by corporate customers are used to mark invoices sent to the corporation if requested by the client. For private customers the clients private mailing address is used to issue invoices and email addresses to issue invoices electronically. The legal grounds are GDPR article 6 nr. 1 letter f, a legitimate interest for corporate customers and GDPR article. 6 nr. 1 letter b (necessary to fulfill the agreement with the registered) for private customers.


IT-operations and security: Personal data stored in our IT-systems may be available to us or our service providers upon system upgrades, implementations or follow-ups of security measures, bug fixes or other maintenance. The legal ground for this is GDPR article 6 nr. 1 letter f, a legitimate interest, cf. our legitimate interest relating to the above-mentioned activities, and our legal obligation to have satisfactory information security levels, cf. GDPR article 32 and article 6 nr. 1 letter c.


Issuing newsletters, marketing, and other relevant information: We issue newsletters to email-addresses registered on clients to whom we currently offer legal services to and others who have requested/consented to receive our newsletter. Recipients can easily unsubscribe from the newsletter service through the link included in a single inquiry (or upon contacting the correct contact person in the law firm). The legal ground for the processing is GDPR art. 6 nr. 1 letter f (a legitimate interest) where we have received the email-address with regards to a legal assignment. Our legitimate interest in using personal data for marketing purposes is to inform about our products and services, as well at update about current applicable laws, changes to the law that can affect those customers and/or potential customers that we contact. Our services related to direct marketing ensures that our customers receive updated data that we consider beneficial to the customer or potential customer.

 In case of an already existing customer relationship, the marketing will be in accordance with The Norwegian Marketing Control Act section 15 (3). In other instances, the marketing will be based on consent from the concerned, cf. The Norwegian Marketing Control Act Section 15 (1) and GDPR article 6 nr. 1 letter a.


4. To whom we share personal data with

Our third-party providers of e.g., IT-services, project- and communication tools providers and other collaborative partners may have access to personal data, if the personal data is stored with the provider or similarly is available to the provider according to the contract with us.


Personal data are processed by us through different platforms and applications in relation to both internal and external processes. Examples of work tools, systems, and collaborative partners used by us are, but not limited to the following:


Project- and communication tool systems and IT-operation services:

-       Microsoft Office 365 (Word, Excel, PowerPoint, Teams)

-       G Suite (Gmail, Google Doc, Google Drive, Google Meet, Google Calender)

-       Slack

-       Clickup

-       ECIT Solutions/Dokumentpartner

-       Verified

-       Advisor

- Legal Plant


Accounting- and invoicing systems:

-       Advisor

-       Tripletex

-       PowerOffice GO


Accountant, auditor, and other collaborative partners:

-       Wepe Regnskap AS

-       Eyedea AS

-       Deloitte AS

-       ECIT AS

 -      Argus Kreditt


Marketing tools and systems:

-       LinkedIn

-       Facebook

-       Workplace

 -      Instagram


Advisor is the provider of legal solutions, and provides systems for case-, document-, knowledge management, timesheets, and invoicing. Read Advisor’s privacy policy here: https://advisor.no/personvern


ECIT Solutions/Dokumentpartner is the provider of IT-operation services. Read ECIT’s privacy policy here: https://www.ecit.com/privacy-policy/


Verified is a solution for electronically signing documents and webforms and is used to implement customer ID-controls (electronic identification) Read Verified’s privacy policy here: https://support.verified.eu/hc/en-us/sections/360001221252-Privacy-Policy


PowerOffice Go is a system for accounting, invoicing, and time tracking/hour registration that we and our accountant use. Read PowerOffice Go’s privacy policy here: https://poweroffice.no/personvernerklaering/


Tripletex is the provider of legal solutions, and delivers systems for case management, document management. Read Tripletex’s privacy policy here: https://www.tripletex.no/personvernerklaering/


Wepe Regnskap is our authorized accountant. Read Wepe Regnskap’s privacy policy here: https://www.wepe.no/personvernerklaering/

Argus Kreditt is our partner in receivables administration. They assist with follow-up of unpaid invoices and debt collection. Personvernerklæring | Argus Kreditt


Deloitte is our authorized auditor. Read Deloitte’s privacy policy here: https://www2.deloitte.com/no/no/footerlinks1/privacy.html?icid=bottom_privacy


ECIT is an accounting- and IT-firm that we occasionally collaborate with in different manners, with regards to existing and new clients by receiving incoming assignments through ECIT and through collaboration on assignments with ECIT. Read ECIT’s privacy policy here: https://www.ecit.com/privacy-policy/


G Suite is a collection of cloud-based services and applications for desktops and mobile phones that we use for case-, document- and knowledge management. Read Google’s privacy policy here: https://policies.google.com/privacy?hl=en-US


Microsoft Office 365 is a collection of cloud-based services and applications for desktop and mobile phones that we use for case-, document- and knowledge management. Read Microsoft’s privacy policy here: https://privacy.microsoft.com/nb-no/privacystatement


Slack is a communication tool system with functions such as chatrooms (channels) organized by topic, private groups, and direct messages. We use Slack for internal communication regarding ongoing assignments and sharing documents. Read Slack’s privacy policy here: https://slack.com/intl/en-no/trust/privacy/privacy-policy?geocode=en-no


Clickup is a cloud-based tool used for collaboration and project leadership. The functions include communication- and collaboration tools, administrating tasks, statuses, and notifications. Read Clickup’s privacy policy here: https://clickup.com/privacy

LegalPlant is a platform for lawyers for case registration, workflow, customer contact and more. A license agreement has been concluded with LegalPlant, which gives ECIT LAW the right to use the version of the platform that is current at any given time.

Facebook/Workplace offers well-known functions such as creating profiles, pages and groups, chat services, live videocasting and so on. The services are used both for internal and external communication and marketing. Read Facebook’s (hereunder Workplace’s) privacy policy here: https://www.facebook.com/privacy/explanation


LinkedIn offers services for creating and administrating corporate- and personal profiles. We use LinkedIn to engage in our professional network, access knowledge, gain insight and possibilities, publish content from our channels, including also reaching out to and communicating with potential new customers. Read LinkedIn’s privacy policy here: https://privacycenter.instagram.com/policy

Instagram is a photo sharing service that offers creation of profiles, pages, chat, sharing of livestories and photos. We use these services for internal and external communication and marketing towards clients and customers. Privacy Tools and Information Security | Meta


The third parties mentioned above may only use the personal data for the purposes declared by us and as described in this privacy policy, including as described in the privacy policies from our respective third parties.


We strive to ensure that all processing of personal data conducted by us (or processing conducted by our collaborate partners and service providers on behalf of us) is processed within EU/EEA. In case of us processing personal data outside of EU/EEA (third countries), EU’s standard contract/standard clauses for transferring personal data to third countries serve as the legal ground (in accordance with 2010/87/EU and C-311/18).

In addition, processing will only happen after a foretaken risk assessment by the privacy laws in the given third country.


5. Confidentiality

Lawyers are subject to a penal sanctioned confidentiality duty, cf. the Norwegian Penal Code section 211. All information confided to us regarding an assignment will be treated confidentially.

Personal data are not disclosed by us in other instances or in any other way than described previously in this privacy policy, unless the client explicitly encourages or consents to this, or if extradition is required by law.


6. Storing of personal data

Case documents are stored in our case management system for as long as the case is being managed. The given case folder will be transferred to our archive system once the case is completed, where it can be retained for 10 years.


The Norwegian Accounting Laws require us to store certain accounting documents for a specified given time. When a particular purpose summons storage for a given time, we will ensure that the personal data solely is used for that particular purpose, in the given time.


7. Your rights

In accordance with current laws about processing of personal data, you have several rights as our client. Your rights will depend on the circumstances.


Right to withdraw a given consent: If the processing is based on a previously given consent to processing of personal data (e.g., marketing purposes) you can at any given time withdraw the given consent upon contacting us.


Request access: As a customer/user you have the right to know what information we have on file about you if the confidentiality duty does not hinder this. Information like this can simply be obtained from us upon request. To ensure that the personal information is disclosed to the correct person, we may request you to send a written request for access or ask you to provide client identification.


Request data changes or deletion: You can always request us to correct inaccurate information about yourself or request us to delete personal data. The request to data deletion will be accommodated in the best way possible, unless there are severe reasons for the information not to be deleted, e.g., that the information needs to be stored due to documentation purposes.


Have your data transferred (Data portability): The right to data portability means that you as a client upon a simple request may be eligible to have the personal data provided to us, by you, disclosed to get this data transferred in a machine-readable format to another law firm. If technicalities allow it, the data may in certain cases be eligible to direct transfer to the other firm.


Complaint to The Norwegian Data Protection Authority:  You can complain to The Norwegian Data Protection Authority if you are opposed to our processing of your personal data.


8. Security

We have established procedures to manage personal data in a secure manner. The measures are both technical and organizational. We perform regular evaluations of the security measures in all core systems used to manage personal data, and there are agreements in place that require data providers of such systems to reassure satisfactory levels of information security.


9. Changes to the privacy policy

We reserve the right to make minor changes to this privacy policy. The latest updated version will always be available on our website. A prior notice will be given in the case of significant changes.


10. Contact information

For inquiries regarding this privacy policy or if you wish to exercise your rights, please contact us on:


Name of contact person: Mathias T. Gebremichael

Contact by phone: (+47) 467 90 069

Visiting address: Møllergata 23-25, 0179 Oslo, Norge

Mailing address: Møllergata 23-25, 0179 Oslo, Norge

Contact by e-mail: mathias@ecitlaw.com