Data protection policy


At Norrbom Vinding, we protect the personal data we hold. Below you will find further information on how we process personal data in general.

As regards cookies, you can read our policy here.

The overarching purpose of Norrbom Vinding’s processing of personal data is to enable us to provide our core service – legal assistance – to our clients. In addition to personal data relating to our services, we process personal data concerning our employees as well as job candidates. We also process personal data in other contexts (newsletter, breakfast briefings, Ajour, networking events and other types of event). Data processed may also include personal data that we receive and process in our capacity as processors of a whistleblowing scheme.

Irrespective of the contexts in which Norrbom Vinding processes personal data, we wish to ensure that we hold correct and adequate information.

Data controller

Norrbom Vinding is controller of the data we process. Thus, we are responsible for ensuring that personal data is processed in accordance with the applicable data protection legislation. When we process data relating to the handling of whistleblowing schemes, we do, however, consider ourselves as processors.

Assignment and disclosure of information

Norrbom Vinding uses processors and suppliers to carry out work on our behalf, such as work relating to IT maintenance, backup and email accounts. Processors and suppliers may access the data necessary for such work but will be under a contractual obligation to treat such data as confidential. In pursuance of data protection law, Norrbom Vinding has entered into data processor agreements with our processors and suppliers.

When providing legal advice, we are bound by a duty of professional secrecy under the Code of Conduct for the Danish Bar and Law Society. As a general rule, we are thus neither entitled nor obligated to assign or disclose information – including personal data which comes to our knowledge as part of a client relationship – to a third party. Regardless of function, all Norrbom Vinding’s employees are subject to the duty of professional secrecy.


To ensure that the personal data we hold does not come to the knowledge of a third party, we have internal rules regarding handling of personal data, IT security and confidentiality, etc. which contribute to making sure that we comply with data protection law.

In our work, we continuously focus on protecting the personal data we hold in the best possible way.

To prevent data loss, we carry out daily backups of the data processed in our IT systems – including, of course, personal data.

In case of a personal data breach resulting in a high risk that personal data may be accessed by a third party, we will communicate the breach to the affected data subjects without undue delay, as prescribed by the applicable data protection legislation.

Should you become aware that a personal data breach may have occurred, or that personal data may have been accessed by a third party – e.g. in your capacity as an IT supplier – please send an email as soon as possible to


Norrbom Vinding only stores personal data as long as necessary. And in accordance with data protection law, we delete the personal data we no longer need to store.

Legal rights

Duty of notification
The applicable data protection legislation provides legal rights to data subjects when their data is processed and imposes certain duties on us, including the duty to notify the data subjects if we collect or will collect their personal data.

Thus, when we process personal data, the data subject is notified of the data being processed and the purposes of the processing to the extent that the duty of notification does not conflict with the rules on professional secrecy. Information on the processing will be provided to the individual data subjects in accordance with data protection law.

Right of access, rectification, etc.
The data subject is entitled to know what information Norrbom Vinding holds on him or her. Similarly, the data subject has a right of access to the extent that this right does not conflict with the rules on professional secrecy.

The data subject is entitled to request Norrbom Vinding to rectify or erase personal data if he or she believes that the data is inaccurate or incorrect. And we are obligated to review such a request.

Legal basis
Norrbom Vinding’s processing of personal data is based on Articles 5, 6(1), 9 and 10 of the General Data Protection Regulation and chapter 3 of the Danish Data Protection Act.

If the processing of personal data is based on consent, the consent can always be withdrawn. Norrbom Vinding may, however, continue to process personal data which has another processing basis than consent.

Further information
If you have any questions concerning this policy or your legal rights under the applicable legislation, please contact us. You can find our contact details on our website here.

You can read further information regarding data protection and your legal rights on the website of the Danish Data Protection Agency The Agency is the authority which ultimately can decide if data has been processed lawfully, for instance as part of a complaint process. All data subjects may file a complaint to the Danish Data Protection Agency.


This data protection policy was last updated in May 2018.