Baker Tilly Denmark Legal
Close
146 AERIAL
About us

Privacy Policy

1 RESPONSIBILITY

1.1 The protection of your personal data is our highest priority, regardless of what the data concerns.

1.2 We process personal data and have therefore adopted this Privacy Policy, which describes how we process your personal data.

2 COMPANY

2.1 The company is:

Baker Tilly Legal Advokatfirma P/S
CVR No.: 41330236
Poul Bundgaards Vej 1E
DK-2500 Valby
Denmark

(Hereinafter referred to as “Baker Tilly Legal Advokatfirma”)

E: info@bakertillylegal.dk
W: www.bakertillylegal.dk

3 PERSONAL DATA

3.1 We have procedures for the collection, storage, deletion, updating, and disclosure of personal data to prevent unauthorized access to your data and to comply with applicable legislation.

3.2 We ensure fair and transparent data processing. When we ask you to provide your personal data, we inform you about which data we process and for what purpose. You will receive this information at the time of data collection. We do not collect information that is not relevant to the case. If unnecessary personal data is collected, it is immediately deleted. The guidelines below describe the types of personal data we collect, how we process them, and who you can contact if you have any questions or comments regarding this Privacy Policy.

4 TYPES OF PERSONAL DATA

CLIENTS / SUPPLIERS

Below are examples of personal data that Baker Tilly Legal Advokatfirma may have registered about you. Please note that the list is not exhaustive:

  • General personal data (e.g. name and/or username, address, email address, date of birth, gender, profile picture, location, etc.)
  • CPR number (Danish personal ID number)
  • Bank information, etc.
  • Transaction data
  • Data to/from social networks
  • Report access
  • Contact information (CRM data)
  • Newsletter
  • Tax calculation files
  • Excel files
  • Emails
  • Financial statements
  • Information from SKAT (Danish Tax Agency)
  • Annual tax statements
  • Preliminary income assessments
  • R75 tax expenses
  • Income and asset statements
  • Bank statements
  • Correspondence, including emails
  • Information from e-Boks

EMPLOYEE

  • Master data, general personal data (e.g. name and/or username, address, email address, date of birth, gender, profile picture, location, etc.)
  • CPR number
  • Information about close family members
  • Education information
  • References
  • Previous employment
  • Current position
  • Job responsibilities
  • Working hours and other employment conditions
  • Information for payroll processing, e.g. salary, tax, bank account details, etc.
  • Information about sick leave and other absences
  • Pension information
  • Unique numbers of network devices
  • Correspondence, including emails
  • Medical certificates, absence periods, retained for purposes other than reporting regarding unemployment benefits, Statistics Denmark, etc.
  • Time registration
  • Exit interviews
  • Performance evaluations
  • Criminal record
  • Salary statistics (Statistics Denmark)
  • Performance/Development interviews
  • Job applications and recruitment
  • Personality tests, personal characteristics
  • Photos of employees – for marketing purposes
  • Photos of employees – for social events organized by Baker Tilly Legal Advokatfirma
  • Employer-paid mobile phone, including the ability to retrieve call history with anonymized recipient phone numbers
  • Quality management

5 PURPOSE

5.1 We collect and store your personal data for specific purposes.

5.2 Your personal data is collected and used for:

CLIENTS / SUPPLIERS

  • Processing your purchase and delivering our service
  • Fulfilling your request for products or services
  • Improving Baker Tilly Legal Advokatfirma’s products and services
  • Direct marketing activities
  • Website optimization
  • Managing your agreement and relationship with us
  • Compliance with legal requirements
  • Other purposes

EMPLOYEE

  • Execution of an agreement or actions at your request
  • Administration of your relationship with us
  • Compliance with legal requirements
  • Other purposes

6 PROCESSING RULES

6.1 Processing Principles

6.1.1 We will process Personal Data lawfully, fairly, and in a transparent manner.

6.1.2 Our processing of Personal Data is subject to the principle of purpose limitation, meaning that Personal Data must be collected for specific, explicit, and legitimate purposes. Personal Data must not be further processed in a way that is incompatible with those purposes.

6.1.3 We process Personal Data based on the principle of data minimisation, meaning that Personal Data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

6.1.4 Personal Data must be processed according to the principle of accuracy, meaning they must be correct and, where necessary, kept up to date.

6.1.5 We process Personal Data according to the principle of storage limitation, meaning that Personal Data must be stored in a way that does not allow the identification of data subjects for longer than necessary for the purposes for which the Personal Data is processed.

6.1.6 Personal Data must be processed in accordance with the principle of integrity and confidentiality, meaning they must be processed in a way that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, by using appropriate technical and organisational measures.

6.2 Risk Analysis

6.2.1 In connection with our case handling, we must implement appropriate technical and organisational measures to ensure a security level appropriate to the risks specifically associated with our processing of Personal Data.

6.2.2 We have carried out a risk analysis which forms the basis for this Privacy Policy.

6.3 Data Protection Impact Assessments (DPIA)

6.3.1 Article 35 of the General Data Protection Regulation requires that if processing—particularly when using new technologies and, by reason of its nature, scope, context, and purposes—is likely to result in a high risk to the rights and freedoms of natural persons, the data controller must, prior to processing, carry out an assessment of the impact of the envisaged processing operations on the protection of Personal Data.

6.3.2 The obligation to carry out a DPIA applies only in specific cases where a high risk to the rights and freedoms of natural persons can be identified.

6.3.3 DPIAs must in particular be carried out when:
a) processing on a large scale of sensitive data or of Personal Data relating to criminal convictions and offences, or
b) systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect them, or
c) systematic monitoring of a publicly accessible area on a large scale.

6.3.4 We assess that we will not carry out processing that meets any of the above criteria. It can therefore be assumed that the rules on DPIAs will have a relatively limited scope in relation to our processing of customers’ Personal Data.

6.3.5 If a DPIA is nevertheless carried out, the result of the assessment will be taken into account when deciding on appropriate measures to mitigate any potential increased risk to the rights and freedoms of natural persons.

6.4 Data Protection Officer (DPO)

6.4.1 The obligation to appoint a Data Protection Officer under Article 37 of the GDPR applies where the processing of Personal Data forms our “core activity.”

6.4.2 It is not our core activity to process Personal Data on a large scale or to conduct regular and systematic monitoring of individuals on a large scale.

6.4.3 The Danish Data Protection Agency has stated in its “Guidance on Data Protection Officers” that companies processing Personal Data as an ancillary activity are not obliged to appoint a DPO.

6.4.4 Our processing of Personal Data is considered an ancillary activity. We have therefore decided not to appoint a Data Protection Officer.

7 DETAILED PROCESSING RULES – CUSTOMERS / SUPPLIERS

7.1 General

7.1.1 These processing rules are intended as the general principles we must apply when handling cases for customers and are therefore a review of the issues we generally need to address in our case handling. The processing rules also express how we meet the documentation requirements of the GDPR.

7.2 Data Controller

7.2.1 As a general rule, we operate independently in relation to the Customer and third parties. We independently assess whether there is a basis for collecting/processing Personal Data, which Personal Data is relevant and necessary, and how long the Personal Data should be retained.

7.2.3 If, however, our service consists of administering or processing payroll on behalf of our customers, we act as a data processor. In such cases, the task will be bound by the agreement (instruction) from the Customer.

7.3 Legal Basis for Processing

7.3.1 Our legal basis for processing Personal Data primarily derives from the Customer’s mandate. Within the scope of that mandate, we will generally have a legal basis to process the necessary information required to perform the assignment. This follows in particular from Article 6(1)(a)-(c) and (f) of the GDPR, as well as Article 9(2)(a) and (f).

7.3.2 These provisions cover the right to process Personal Data where:
(i) consent has been given,
(ii) the processing is necessary for the performance of a contract,
(iii) the processing is necessary to comply with a legal obligation,
(iv) the processing is necessary to protect vital interests which override the interests of the data subject, or
(v) the processing is necessary for the establishment, exercise, or defence of legal claims.

7.3.3 Specifically with regard to personal identification numbers, we may process such information:
(i) where required by law,
(ii) where consent has been given, or
(iii) where necessary for the establishment of a legal claim, cf. Section 11 of the Danish Data Protection Act, cf. Section 7.

7.3.4 It is our assessment that the processing of Personal Data we carry out in relation to a customer mandate will, to a large extent, be authorised by the provisions referred to above.

7.3.5 In each case, we will carefully consider what the assignment entails when processing Personal Data, so that each lawyer avoids processing – including registering and storing – Personal Data that is not relevant to the case. We must therefore, in all situations, be mindful of the scope of the assignment and ensure that no Personal Data is collected or processed that is irrelevant. In particular, it is important to ensure that no Personal Data concerning third parties is processed where such data is not relevant to the case.

7.4 General Principles – Case Handling

7.4.1 At the start of a case, we must first ensure that the legal basis is clear – i.e., what processing of data the assignment presupposes – and that we have a lawful basis for such processing.

7.4.2 We must then consider our obligation to proactively inform the Customer of the processing we carry out, including the special rules that apply to the collection and retention of Personal Data for anti-money laundering purposes.

7.4.3 During the process, we must continuously ensure that the collection and disclosure of Personal Data is in accordance with the purpose, and we must continually assess our relationship with any data processors. If a third country becomes involved in the case, we must be aware of the specific rules that apply to the transfer of Personal Data to third countries.

7.4.4 When the case is concluded, we must decide how long we need to retain the information and when it should be deleted.

7.4.5 As a general rule, we should avoid basing our processing of Personal Data on the Customer’s consent. Consent can be withdrawn and, moreover, has no independent relevance alongside the mandate/agreement for assistance.

7.4.6 Duty to Inform – Customer

7.4.7 The duty to inform applies both in relation to the Customer and to any third parties assumed to be involved in the case handling. The obligation to inform third parties must always be considered in light of our duty of confidentiality, but as a general principle, confidentiality will not exempt us from an obligation to inform in all circumstances. This requires a specific assessment and decision.

7.4.8 In relation to the Customer, the duty to inform is fulfilled by providing a link to our Privacy Policy in the first communication, which describes the conditions for the cooperation.

7.4.9 In the welcome letter, reference is made to the Privacy Policy, covering:

  • Our processing – including both electronic and physical processing/storage.
  • Other relevant actors who will be involved, including any external bookkeeping and IT support.
  • Retention period after completion – including anti-money laundering and client account requirements.
  • Rights and possibility of complaint, as well as the possibility of withdrawing consent if processing is based on consent.
  • With respect to Article 21 of the GDPR, concerning the data subject’s right to object, the data subject must be explicitly informed of this right, at the latest at the time of the first communication, cf. Article 21(4). This information must be provided clearly and separately from other information.

Each customer will receive a link to our Privacy Policy, which can then be referred to in subsequent communications.

7.5 Duty to Inform – Third Parties

7.5.1 Article 14(5)(d) of the GDPR provides that the duty to inform does not apply if the Personal Data must remain confidential due to professional secrecy.

7.5.2 As long as the processing of Personal Data concerning third parties is within the scope of the assignment and the information is covered by our duty of confidentiality, we do not have an obligation to inform such third parties.

7.5.3 However, the duty to inform arises once there is no longer a reason to maintain confidentiality. We will continually assess the extent to which we can refrain from providing information by referring to our duty of confidentiality.

7.5.4 Article 14(5)(b) of the GDPR also provides that the duty to inform does not apply if it would involve a disproportionate effort to fulfil it. In practice, this exception is interpreted to mean that the duty to inform does not apply to incidental persons. This may be the names of individuals included in the description of received material, where, for example, the function and not the person is relevant, and where the identity of the person has no and will have no significance for the case. The exception, however, requires that only contact details and other similar ordinary Personal Data about the person(s) concerned are included.

7.6 Anti-Money Laundering

7.6.1 Under the Danish Anti-Money Laundering Act, we must retain the following Personal Data for five years after the termination of the client relationship:

  • Personal Data obtained in connection with fulfilling customer due diligence procedures in accordance with the Anti-Money Laundering Act
  • Identity and verification information
  • Copies of identification documents presented
  • Documentation and records of transactions carried out
  • Documents and records of investigations conducted under Section 25(1) and (2) of the Anti-Money Laundering Act.

7.6.2 Before establishing a business relationship with a customer and before carrying out a one-off transaction for natural persons, we must inform the Customer about our rules for processing Personal Data obtained under the Anti-Money Laundering Act by providing our AML Privacy Policy.

7.6.3 The information must be given directly to the Customer, e.g., as an attachment to the welcome letter (and not merely by referring to a notice on our website).

7.6.4 Beneficial owners must not be informed about our processing of Personal Data under the Anti-Money Laundering Act.

7.6.5 Information obtained in relation to anti-money laundering must be kept separately from individual case files by noting it on the AML record.

7.7 Ongoing Collection and Disclosure of Information

7.7.1 We must ensure that collection and disclosure of Personal Data only occurs to the extent necessary to carry out the Customer’s assignment.

7.7.2 When collecting Personal Data in a case, we must be particularly aware of whether the material contains Personal Data about third parties who are unaware that we are processing their Personal Data. This may trigger an obligation to proactively inform the third party about the processing.

7.7.3 At the same time, we must consider whether it is necessary for the case to include Personal Data about the third party concerned. If it is not necessary, the Personal Data should be deleted immediately, thereby also avoiding the need to address any duty to inform, etc.

7.8 Deletion – When

7.8.1 At the conclusion of a case, we generally no longer need to process Personal Data. The assignment has been completed.

7.8.2 However, a number of other considerations and special rules mean that Personal Data should not or must not be deleted until after a certain period.

7.8.3 It must be specifically assessed how long Personal Data should be retained before being deleted.

  • Accounting rules require that Personal Data related to a payment be retained for 5 years + the current calendar year after the end of the financial year.
  • Anti-money laundering rules require that information collected to meet AML obligations be retained for 5 years after the end of the client relationship, after which it must be deleted immediately.
  • Considerations relating to the ability to protect your/our interests in the event of potential liability for advice may mean that the case should be retained for 10 years after its conclusion.
  • Customer master data should – to ensure logical alignment with the retention period of case files – be kept for 10 years from the end of the client relationship (specific AML information must still be deleted after 5 years).
  • Special considerations apply where Personal Data cannot be stored elsewhere and where a need to recover Personal Data may arise later than 10 years after the case’s conclusion. In such situations, we must specifically assess whether a longer retention period is necessary and decide which Personal Data may and should be kept beyond the 10-year period.
  • Contact information will be deleted on an ongoing basis.
  • Emails that may be relevant for establishing a legal claim must be kept for 10 years and then deleted unless a legal claim is made against – or is expected to be made by – Baker Tilly Legal Law Firm.

7.8.4 Both the considerations and the cut-off points vary.

7.8.5 Proper deletion therefore requires us to map our needs and obligations to ensure proper deletion depending on the purpose of the specific record.

7.8.6 This may mean that Personal Data collected under AML rules is deleted sooner than the specific concluded case. We may therefore find it necessary to retain the case itself in order to counter any potential claims regarding advisory liability. Such passive retention does not, however, mean that the client relationship should still be considered active.

7.8.7 As a general policy (unless otherwise stated in this Privacy Policy), all Personal Data relating to a specific case must be deleted 10 years after the case’s conclusion. All information relating to a customer must be deleted 10 years after the termination of the client relationship.

7.9 Deletion – How

7.9.1 According to the Danish Data Protection Agency’s IT security text ST3 on the deletion of Personal Data, deletion means that Personal Data is irreversibly removed from all storage media where it has been stored, and that the Personal Data cannot be restored in any way. All storage media must be considered – including removable media such as laptops, USB sticks, etc., as well as backups.

7.9.2 To facilitate deletion, all physical material must be scanned into the electronic case file and then shredded or returned to the Customer.

7.9.3 Furthermore, all correspondence, etc., from Outlook must be transferred to the electronic case file and deleted entirely from Outlook, and all reports/presentations, etc., on various portable media and local drives must be transferred to the electronic case file and deleted elsewhere.

7.9.4 This allows the complete case file, in due time (after the retention period has expired), to be entirely deleted from the electronic case management system.

7.9.5 As an alternative, Personal Data can be fully anonymised so that it can no longer be linked to a specific person. In such cases, the regulation on Personal Data does not apply, and full anonymisation is therefore an alternative to deletion. It is important to note, however, that anonymisation – as an alternative to deletion – requires the removal of all traces that could lead to the person the data concerns. This is often a very difficult exercise.

7.9.6 After deletion/anonymisation, we will carry out an appropriate cross-check in the form of searches on name/CPR number, etc., relating to the Customer or case, to ensure that nothing remains.

7.10 IP Addresses and Browser Settings

7.10.1 In connection with each visit to bakertillylegal.dk, your computer’s IP address and browser settings are registered. Your IP address is the address of the computer you use to visit bakertillylegal.dk. Browser settings include, for example, the type of browser you use, browser language, time zone, etc. The IP address and browser settings are recorded to ensure that bakertillylegal.dk can always trace back to the computer used if misuse or illegal activities occur in connection with the visit to or use of bakertillylegal.dk.

7.12 Photographs

7.13 The use of photographs for marketing purposes can only take place with prior consent.

7.14 Anonymisation

7.14.1 Baker Tilly Legal Law Firm does not use anonymisation of customer data for statistical and research purposes or to improve systems, processes, and products.

8 DETAILED PROCESSING RULES - EMPLOYEES

8.1 Legal basis for processing

8.1.1 We process personnel information on the following legal bases:

  • The employee has given his/her consent to the processing of his/her Personal Data for one or more specific purposes.
  • Processing is necessary for the performance of a contract to which the employee is a party, or in order to take steps at the employee’s request prior to entering into a contract.
  • Processing is necessary in order to comply with a legal obligation to which we are subject.
  • Processing is necessary to protect the vital interests of the employee or another natural person.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority vested in us.
  • Processing is necessary for us or a third party to pursue a legitimate interest, unless the employee’s interests or fundamental rights and freedoms requiring protection of Personal Data prevail over that interest.

8.2 Processing of Personal Data prior to employment

8.2.1 Prior to the employment of an employee we will process a number of ordinary Personal Data about the employee.

8.2.2 We receive certain Personal Data directly from the applicant, e.g. an application, a CV, photos, diplomas, statements from previous employers and references.

8.2.3 In addition, we obtain Personal Data about the applicant on our own initiative. This may, for example, be publicly available Personal Data on LinkedIn, Facebook or Personal Data obtained via a general internet search.

8.2.4 The basis for the processing of such ordinary Personal Data that are processed for the purpose of selecting an employee for employment with us is the General Data Protection Regulation Article 6(1)(a) on carrying out measures prior to entering into a contract and the balancing-of-interests rule in Article 6(1)(f).

8.2.5 Images attached to an application may be processed for the recruitment process if consent thereto exists. If images are used for other further purposes than the recruitment process, consent is required for that use.

8.2.6 Prior to the employment of an employee we will in certain cases need to process sensitive Personal Data about an applicant.

8.2.7 If we collect Personal Data about you from your current or former employers via reference collection, we will ask for your consent to this first. Concretely, you will be asked to sign a consent declaration, of which you will subsequently receive a copy yourself. If you do not give consent, we do not obtain reference information.

8.2.8 We will typically ask the employee to obtain a criminal record certificate (private criminal record certificate) themselves, but may also obtain it ourselves with consent (private criminal record certificate with consent). In both situations your consent is required for us to process Personal Data. It will also typically be relevant to obtain criminal record certificates for bookkeepers and other trusted employees. If we ask an employee to obtain his/her criminal record certificate, we will merely view it, but not store it. If we ask the employee to obtain a criminal record certificate, or if we, with your consent, become entitled to obtain the criminal record certificate, your consent is required for us to process Personal Data.

8.2.9 Under the Anti-Money Laundering Act we must screen particular categories of employees. This entails, among other things, that before your employment we ensure that you have not been convicted of an offence that gives rise to a proximate risk of misuse of the relevant position, and likewise that we will become aware if you are convicted of such an offence during your employment. A risk assessment may be carried out depending on which function you are to perform with us. For example, it will not be relevant for persons who do not perform functions that ensure compliance with the Anti-Money Laundering Act. For persons who are employed in a position that is directly or indirectly misused for money laundering or financing of terrorism, it will always be relevant to carry out a closer examination of the person prior to employment. It will depend on a concrete assessment whether a person can directly or indirectly misuse his/her position for money laundering or financing of terrorism.

8.2.10 We will not obtain credit information about job applicants. In certain situations we will use personality tests in connection with recruitment of new employees. This applies particularly where the position is especially trusted. Such a test can by its nature only be carried out if you consent to being tested. Although the result of a personality test may be considered Personal Data of a more private character, we as a starting point regard it as ordinary Personal Data. However, a personality test may also contain sensitive Personal Data. In such case your explicit consent to our processing of Personal Data is required.

8.2.11 In very special cases we may request Personal Data about your health. This may be relevant in situations where illness will have significant impact on your ability to perform the position. If it is specifically assessed necessary to obtain health information, we will state which diseases or symptoms of diseases Personal Data is requested about. In that case information will be obtained with consent.

8.2.12 If you are employed, we will store your application in your personnel file throughout your employment and for a period of 3 years from the termination of the employment.

8.2.13 If your application is rejected, we will as soon as possible – and as a rule no later than 6 months after you have received the rejection – delete the Personal Data which we have received and processed in connection with the recruitment process.

We will, however, at the same time ask for your consent to retain your Personal Data from the recruitment process for a period of 3 years for use in similar recruitment processes for positions corresponding to the position you applied for. If we assess that a job applicant who has not been employed will initiate a claim under the Equal Treatment Act or the Discrimination Act, Personal Data will be Personal Data stored for a period of 3 years.

8.3 Processing of Personal Data about current employees

8.3.1 When an employment relationship is established, we will process a number of additional ordinary Personal Data. These are partly Personal Data which you yourself give to us, e.g. your CPR no., address information, account number etc., the employment contract’s description of work tasks, working hours, salary and similar, Personal Data about next of kin as well as Personal Data about sickness absence and periods of illness. In addition, we independently collect Personal Data about you. This may, for example, be Personal Data about you that is continuously registered from managers and other employees (including minutes from performance and development interviews) as well as from partners. Inquiries and complaints of any kind from other employees or customers/partners, management’s own collection of Personal Data in social media and inquiries from public authorities about the employee etc. will also be included.

8.3.2 If Personal Data is disclosed to public authorities, e.g. to SKAT regarding A-tax or similar, the processing is necessary in order to comply with the withholding and reporting obligation which rests on us as employer, cf. the provisions of tax law.

8.3.3 We will only publish work-related Personal Data about employees on our website without prior consent. Publication of Personal Data of a more personal nature, e.g. a picture of the employee, will only be published with the employee’s consent.

8.3.4 When an employment relationship is established, we will in certain situations also need to process sensitive Personal Data about you. This may, for example, be health information about you, including Personal Data about alcohol abuse and treatment of such abuse, Personal Data about membership of a trade union or Personal Data about criminal offences. Private matters and the results of personality tests do not necessarily contain sensitive Personal Data.

8.3.5 As a starting point it is not permitted to process sensitive Personal Data. However, we may in certain cases process sensitive Personal Data about an employee. This may particularly be the case if the employee has given his/her explicit consent to our carrying out the processing. Without consent we will process health information to the extent necessary in connection with an agreement pursuant to § 56 of the Danish Sickness Benefits Act. In such situations we will process sensitive health information about chronic illness etc. In case of dismissal, where a former employee’s right upon request to obtain information about the reason for dismissal necessitates registration of Personal Data about this, Personal Data may be considered sensitive if they are precise and reproduce concrete factual circumstances of a social or personal nature about the employee. If Personal Data are only kept in vague and approximate terms, they are not necessarily sensitive.

8.3.6 Processing of Personal Data about trade union membership may also be carried out if the processing is necessary to comply with our labour-law obligations or specific rights, which include all forms of obligations and rights that rest on an employment law basis.

8.3.7 In addition, we will only to a limited extent be able to register sensitive Personal Data in a personnel register. There must be registrations that are necessary in order to ascertain whether someone has a legal claim. For example, it may occur that we need to register Personal Data about a criminal offence in the form of embezzlement committed by an employee if this is necessary in order to enforce our claim for compensation against the employee.

8.3.8 Also in areas where a legal claim may be thought to exist, e.g. an employee’s claim for compensation as a result of an occupational injury, it may be necessary to make registrations of sensitive Personal Data for use in a possible case.

8.4 Processing of Personal Data about former employees, including deletion

8.4.1 We must delete Personal Data without undue delay. This may, for example, be in the situation where Personal Data is no longer necessary to fulfil the purposes for which they were collected or otherwise processed.

8.4.2 Personal Data about former employees may be retained for up to 3 years after the termination of the employment. However, we will retain Personal Data for a longer period if we need Personal Data for the purpose that legal claims may be established, asserted or defended, e.g. an employment law case. In such situations Personal Data may be kept for as long as is necessary to conduct the case. The same may apply in connection with occupational injuries.

8.4.3 In connection with an employee’s departure, questions may also arise as to when we may disclose the Personal Data we hold. If at the request of another company where the employee has applied for employment we disclose references on the employee, this may be done without the employee’s consent if it is ordinary Personal Data. Sensitive Personal Data may only be disclosed with the employee’s consent.

8.5 Information to the data subject

8.5.1 At the time Personal Data is collected, we must provide the employee with a number of mandatory Personal Data. In addition, a number of supplementary Personal Data must be given that are necessary to ensure a fair and transparent processing. If we intend to further process Personal Data for a purpose other than that for which the Personal Data were collected, we will inform the employee about this new purpose and other relevant additional Personal Data such as e.g. retention period, access, deletion etc. If an employee is already familiar with the Personal Data, the information obligation does not apply.

8.5.2 If personal information is collected from other sources than the employee, we must provide the employee with a number of mandatory pieces of information in this regard. In addition, a number of supplementary pieces of information must be given that are necessary to ensure a fair and transparent processing of the employee. The mandatory and supplementary information must be provided to the employee within specified deadlines.

8.5.3 If we intend to further process Personal Data for a purpose other than that for which they were collected, we must prior to such further processing provide the employee with information about this other purpose and other relevant additional information, such as e.g. retention period, access, deletion etc. The duty to inform does not apply in a number of cases, including if the employee is already familiar with this information.

8.5.4 Job applicants will be informed if we check them with credit reference agencies such as RKI, as well as about any retention of the credit information, including in which cases Personal Data are stored.

8.6 E-mail

8.6.1 Baker Tilly Legal Advokatfirma provides internet access and use of e-mail to the employee. The employee has in that connection been assigned a special e-mail account.

8.6.2 Use of e-mail for non-work-related purposes may only take place insofar as it is compatible with the employee’s performance of the daily work for the company and in observance of these guidelines. Non-work-related use should therefore only take place to a very limited extent. Employees are instructed that data minimisation of e-mails must be performed.

8.6.3 Baker Tilly Legal Advokatfirma permits private use of e-mail and the internet made available at the workplace. It is Baker Tilly Legal Advokatfirma’s position that employees restrict the private element to a reasonable level. It is considered a reasonable level that private e-mails are short messages and replies, whereas more extensive matters belong to private life.

8.6.4 Baker Tilly Legal Advokatfirma regards everything that the company’s IT equipment is used for as the property of Baker Tilly Legal Advokatfirma, unless it is clearly marked with the indication “private”. This also applies to your documents and e-mails as well as personal documents stored on the local drive on the provided PC. This means that personal e-mails sent/received via your work e-mail in principle can be read by others.

8.6.5 Baker Tilly Legal Advokatfirma may review these Personal Data in order to pursue legitimate interests – such as considerations of operations, security, restoration and documentation as well as considerations for monitoring use, however on the condition that the consideration for employees does not outweigh these interests. For the purpose of ensuring compliance with IT security guidelines and for the purpose of preventing or remedying system failures, the IT responsible may open any e-mail and receive executable files.

8.6.6 In the event of an employee’s absence, e.g. due to illness, holiday or after resignation, Baker Tilly Legal Advokatfirma may give a colleague access to the employee’s e-mail account in question.

8.6.7 Baker Tilly Legal Advokatfirma will not read private e-mails. If, during a review of e-mails, private e-mails are found that have no relation to Baker Tilly Legal Advokatfirma, the e-mails in question will not be read by anyone other than the rightful recipient. We will not read e-mails marked “private”, unless it clearly appears from the circumstances that a particular e-mail – despite the marking – is not private or has content that may be a breach of the employee’s obligations to Baker Tilly Legal Advokatfirma.

8.6.8 Upon an employee’s departure – voluntary or involuntary – his/her e-mail account at Baker Tilly Legal Advokatfirma will only be kept active for a period that is as short as possible from the time when the employee no longer has access to his/her personal e-mail account at Baker Tilly Legal Advokatfirma. The length of the period will be determined taking into account the employee’s position and function and may at most be 12 months. The employee will not be notified of the final shutdown of his/her e-mail account. As soon as possible after the employee can no longer access his/her personal e-mail account, Baker Tilly Legal Advokatfirma will set an autoresponder on the e-mail account with notice of the employee’s departure and any other relevant information. The active e-mail account will thereafter only be used for receiving e-mails. If private e-mails are received, Baker Tilly Legal Advokatfirma may, however, forward the e-mail account to the employee’s private e-mail account. Information about the employee’s personal e-mail address will be removed as soon as possible from Baker Tilly Legal Advokatfirma’s website and other publicly available information sites. Only one – or very few – trusted employees will thereafter have access to the departed employee’s personal e-mail account.

8.6.9 E-mails must be deleted continuously. E-mails which may be relevant to the determination of a legal claim must be stored for 10 years and then deleted, unless a legal claim has been brought against, or is considered to be brought by, Baker Tilly Legal Advokatfirma.

8.7 The Internet

8.7.1 Baker Tilly Legal Advokatfirma permits private use of e-mail and the internet provided at the workplace to a reasonable degree. Internet access may be used for searches that do not conflict with ordinary ethical standards. In particular, internet access may not be used to visit websites whose content is pornographic, political, extremist or discriminatory in character with regard to race, gender, ethnic-social origin or religion. Similarly, the employee must not, by use of e-mail, send material of the aforementioned character.

8.7.2 There is no systematic, general monitoring of the individual employee’s use of the systems. Employees’ movements on the internet and all e-mails sent to and from each individual employee are recorded in a central log file. If there is suspicion of misuse, e.g. sending private e-mails on a large scale or surfing the internet extensively, Baker Tilly Legal Advokatfirma reserves the right to monitor and review the individual employee’s activities and stored data on the IT system.

8.7.3 Registration to special internet facilities, such as subscription services or portals etc., may only take place by agreement.

8.7.4 Baker Tilly Legal Advokatfirma uses a firewall/log which is a system-technical tool used by the system responsible for security reasons. The integrated logging facilities are necessary for the operation and maintenance of systems as well as security monitoring (system log). A system log may contain Personal Data.

8.7.5 Logging of employees’ use of the Internet carried out in the form of a system log on a firewall or another active network component is to be regarded as a system log. The log is used only for system purposes.

8.7.6 Baker Tilly Legal Advokatfirma may review an employee’s use of the Internet for technical and security reasons and to control employees’ use of the internet.

8.8 Home workplace

8.8.1 We have ensured that ad hoc workplaces, e.g. home workplaces for employees who work from home, comply with Baker Tilly Legal Advokatfirma’s IT security rules, cf. below.

8.8.2 Home workplaces can only be accessed via the PC provided by Baker Tilly Legal Advokatfirma with VPN access.

9 DISCLOSURE

9.1 Disclosure to other services

Personal Data are not disclosed to social networks.

9.2 Other disclosure

If Baker Tilly Legal Advokatfirma receives inquiries from the police (or other similar public authority) or the courts about disclosure of information, Baker Tilly Legal Advokatfirma will disclose your information in accordance with applicable law.

10 RIGHTS OF THE DATA SUBJECT

10.1 Handling of requests from the data subject

10.1.1 Our handling of the data subjects’ rights is centralized. The controller will, however, rarely be sufficiently familiar with the individual case to be able to assess whether the data subject’s request can/should be met in whole or in part. The response will therefore be made after dialogue with the relevant case officer, who can account for the considerations in favour of and against granting a request/objection.

10.2 Objection

10.2.1 You have the right to object to our processing of your Personal Data.

You can use the contact details at the bottom to send an objection. If your objection is justified, we will cease processing your Personal Data.

10.3 Access

10.3.1 The data subject has, pursuant to Article 15 of the General Data Protection Regulation, the right to obtain confirmation as to whether or not Personal Data concerning him or her are being processed, and, where that is the case, access to the Personal Data (a copy of the Personal Data must be provided).

10.3.2 In addition, the data subject has the right to receive the following information:

  • the purposes of the processing
  • the categories of Personal Data concerned
  • the recipients or categories of recipients to whom the Personal Data have been or will be disclosed, in particular recipients in third countries or international organizations
  • where possible, the envisaged retention period for the Personal Data, or, if that is not possible, the criteria used to determine that period
  • the right to request the controller to rectify or erase Personal Data or to restrict the processing of Personal Data concerning the data subject or to object to such processing
  • the right to lodge a complaint with a supervisory authority
  • any available information as to the source of the Personal Data, if they are not collected from the data subject

10.3.3 The data subject also has the right to be informed of the safeguards in place where we have transferred Personal Data to third countries.

10.3.4 In order to be able to meet a request for access properly, we must search all systems – including all databases and all hardware and all removable media – and also search all physical material that forms part of a register, and disclose the Personal Data registered about the person in question.

10.3.5 Under the Data Protection Act the right of access does not apply if the data subject’s interest in the information is found to have to give way to overriding considerations of private interests, including the interest of the person in question. It is our assessment that this will, among other things, include information subject to our professional secrecy. Therefore, the right of access will not have an independent significance as long as access is requested to Personal Data that are subject to professional secrecy.

10.3.6 We will respond to your request as soon as possible. If your request is not answered within 4 weeks of receipt, Baker Tilly Legal Advokatfirma will inform you of the reason for this, and when a decision can be expected. Requests concerning the above will only be answered if more than 6 months have elapsed since your last inquiry, unless you can demonstrate a special interest in having the information re-sent. If you believe that the Personal Data we process about you are inaccurate, you have the right to have them corrected. You must contact us and inform us in what way the inaccuracies consist and how they can be corrected.

10.4 Access to your Personal Data

10.4.1 You have at any time the right to be informed of which data we process about you, where they originate from and what we use them for. You can also be informed of how long we store your Personal Data and who receives data about you, insofar as we disclose data in Denmark and abroad.

10.4.2 If you request it, we can inform you of the data we process about you. Access may, however, be restricted out of consideration for other persons’ privacy protection, trade secrets and intellectual property rights.

10.4.3 You can make use of your rights by contacting us. Our contact details are at the top.

10.5 Data portability

10.5.1 Under Article 20 of the General Data Protection Regulation the data subject also has the right to receive Personal Data about him- or herself which he or she has provided to Baker Tilly Legal Advokatfirma in a structured, commonly used and machine-readable format.

10.5.2 The data subject also has the right to transmit such information to another controller without hindrance from Baker Tilly Legal Advokatfirma where the processing is based on consent and the processing is carried out by automated means. If the data subject exercises this right to data portability, the data subject also has the right to have Personal Data transmitted directly from one controller to another where technically feasible.

10.5.3 The right to data portability only covers information the data subject has provided him/herself, and will only cover processing carried out by automated means. The scope of the right to data portability will also be very limited if we base our legal basis for processing on grounds other than consent.

10.5.4 It is our assessment that the right to data portability can only be exercised to a very limited extent in relation to our client information.

10.6 Right to rectification

10.6.1 Pursuant to Article 16 of the General Data Protection Regulation the data subject has the right to have inaccurate Personal Data concerning him or her rectified by the controller without undue delay. Taking into account the purposes of the processing, the data subject also has the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.

10.6.2 This right supplements our fundamental obligation to continuously ensure that only correct and up-to-date information is processed, cf. Article 5(1)(d).

10.6.3 The right to rectification only concerns objective Personal Data and not subjective assessments.

10.7 Right to be forgotten

10.7.1 Under Article 17 of the General Data Protection Regulation the data subject has the right to have Personal Data concerning him or her erased by us without undue delay. If we receive a justified request in this respect, we shall in that case be obliged to delete the Personal Data without undue delay.

10.7.2 However, the right is limited such that deletion cannot be required where processing is necessary to comply with a legal obligation, or where it is necessary for legal claims to be established, asserted or defended, cf. Article 17(3)(b) and (e).

10.7.3 It is our assessment that the “right to be forgotten” will only very rarely come into play in relation to our case handling. It may for example be applied where Personal Data were originally not necessary for the handling of the case and therefore should not have been included in the case at all, or where Personal Data are undoubtedly no longer necessary for the handling of the case. In such case the obligation to delete Personal Data will also follow from the fundamental obligation to only process necessary information, cf. Article 5(1)(c) of the General Data Protection Regulation. The “right to be forgotten” does not apply, however, if (and as long as) we retain such Personal Data in order to be able to counter a possible legal claim from clients.

10.7.4 If we are obliged to delete Personal Data pursuant to Article 17 which have been disclosed to other controllers or processors, we must inform such controllers or processors who process Personal Data that the data subject has requested that all links to or copies or reproductions of the relevant Personal Data be deleted.

10.8 Right to object

10.8.1 It follows from Article 21 of the General Data Protection Regulation that the data subject at any time has the right to object to the processing of his/her Personal Data where the processing is based on Article 6(1)(e) or (f). These provisions concern the right to process ordinary Personal Data where processing is necessary to perform a task carried out in the public interest, or where processing is necessary to pursue a legitimate interest and the consideration of the data subject does not outweigh that interest.

10.8.2 If an objection is made, we may no longer process the Personal Data in question unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

10.8.3 It is our assessment that this provision will only to a limited extent come into play in our case handling, because case handling to a large extent can be linked to the legal basis concerning the establishment of a legal claim, and because we – if the processing otherwise meets the basic processing rules – will often be able to demonstrate compelling legitimate grounds for the inclusion of the information in the case handling.

10.8.4 The provision in Article 21 presupposes that the data subject is made explicitly aware of his/her right to object, and that this must be done at the latest at the time of the first communication. Furthermore, the information on this must be provided clearly and kept separate from the other information.

10.8.5 This provision also contains a number of exceptions, cf. Article 22(2). Among other things, the right does not apply if the decision is necessary for the conclusion or performance of a contract between the data subject and a controller, if the processing has a legal basis in a law, or if the processing is based on the data subject’s explicit consent.

10.9 Right to restriction of processing

10.9.1 Under Article 18 of the General Data Protection Regulation the data subject has the right to obtain restriction of processing where:

  • the accuracy of the Personal Data is contested by the data subject, but only for the period during which the controller is able to verify whether the Personal Data are correct
  • the processing is unlawful and the data subject opposes deletion of the Personal Data and instead requests restriction of their use
  • the controller no longer needs the Personal Data for the processing, but they are required for the establishment, exercise or defence of legal claims
  • the data subject has objected to the processing pursuant to Article 21(1), but only during the period while it is verified whether the controller’s legitimate grounds override those of the data subject.

10.9.2 The right thus constitutes an alternative (and lesser) intervention in case handling compared to the data subject’s right to object under Articles 21 and 22, and the data subject’s “right to be forgotten” under Article 17.

10.9.3 It follows from paragraph 2 of the provision that if processing has been restricted, such Personal Data, apart from storage, may still be processed, e.g. where the data subject gives consent to this, or where processing is necessary for the establishment, exercise or defence of legal claims.

10.9.4 In our assessment the provision will only have limited significance for our access to process Personal Data in our case handling.

10.9.5 The provision also further supplements our own independent obligation to continuously ensure compliance with the fundamental rights of the data subject.

10.10 Security breach

10.11 If you detect a security breach at Baker Tilly Legal Advokatfirma, you must immediately contact us using the contact details given below.

11 DATA PROCESSOR

11.1 Baker Tilly Legal Advokatfirma uses external companies to carry out the technical operation of Baker Tilly Legal Advokatfirma. These companies act as processors for Baker Tilly Legal Advokatfirma.

11.2 Data processing is carried out within the European Union.

11.3 The data processor acts only on instructions from Baker Tilly Legal Advokatfirma, and a data processing agreement is concluded with it before data processing commences.

11.4 The data processor has taken the necessary technical and organizational security measures to prevent data from being accidentally or unlawfully destroyed, lost or deteriorated and to prevent them from coming to the attention of unauthorized persons, being misused or otherwise processed in breach of the law on processing of Personal Data. On your request – and against payment of the data processor’s prevailing hourly rates for such work – the data processor will give you sufficient information to demonstrate that the mentioned technical and organizational security measures have been taken.

11.5 We use the following data processors:

Data processorServer locationType of contractual basis
Bookkeeping serviceEUData processing agreement
ZenegyEUData processing agreement
DocuSignEUData processing agreement
Legis 365EUData processing agreement
BluepipeDenmarkData processing agreement
Microsoft CorporationEUData processing agreement
Fusemail DenmarkDenmarkData processing agreement
Visma E-conomicDenmarkData processing agreement
DatalønDenmarkData processing agreement
Google AnalyticsUSAEU Model Clause Agreement
HuddleEUData processing agreement
VPN  
RDC  

12 SECURITY MEASURES

12.1 We protect your Personal Data and have internal rules on information security. We have adopted internal rules on information security, which contain instructions and measures that protect your Personal Data from being destroyed, lost, or altered, from unauthorized disclosure, and from unauthorized persons gaining access to or knowledge of it.

12.2 Baker Tilly Legal Law Firm will ensure that the collected information, including Personal Data, is handled with care and protected in accordance with applicable security standards.

12.3 We have strict security procedures for the collection, storage, and transfer of Personal Data to prevent unauthorized access and to comply with applicable legislation. Our security is regularly reviewed. The Personal Data you provide to us is stored on our data processors’ servers.

12.4 We have taken the necessary technical and organizational security measures to protect your Personal Data from accidental or unlawful destruction, loss, or alteration and from unauthorized disclosure, misuse, or other acts in violation of applicable legislation.

12.5 We store and process your Personal Data on IT systems with controlled and limited access. The systems are located on servers in secured facilities.

12.6 We use firewalls and authentication protection to safeguard your Personal Data.

12.7 If you send Personal Data to us via e-mail, please note that sending it to us is not secure unless your e-mails are encrypted.

12.8 All data transferred between the client (browser and web app) and server(s) is encrypted using the HTTPS protocol.

12.9 We have full access to all your Personal Data stored in our database(s) and on our server(s). Data will only be accessed on a “need-to-know” basis.

12.10 Access to Personal Data must be limited to persons who have a legitimate need for such access. This number should be as small as possible, taking due account of operational needs; there must be a sufficient number of employees to ensure the operation of the relevant tasks during illness, holidays, staff turnover, etc. The company has discretion in this regard. All case handlers have access to all cases. Baker Tilly Legal Law Firm has assessed this to be necessary as all employees in the firm are involved in the cases.

12.11 Personal Data on paper—e.g., in files and binders—must be stored locked away when not in use. Baker Tilly Legal Law Firm has implemented a secure procedure for shredding and disposing of paper.

12.12 When documents (papers, file cards, etc.) containing Personal Data are discarded, shredding or other measures must be used to prevent unauthorized access to the Personal Data.

12.13 Baker Tilly Legal Law Firm uses an encrypted Dropbox solution for the exchange of data between Baker Tilly Legal Law Firm entities and with clients.

12.14 All client connections are web-based and subject to the Client’s terms and security standards.

12.14.1 If sensitive Personal Data or personal identification numbers are sent by e-mail via the Internet, such e-mails must be encrypted. We strive to avoid the use of personal identification numbers (CPR). If it is deemed necessary to use a personal identification number, the e-mail will be encrypted.

12.14.2 Personal Data must not be stored on USB drives, external hard drives, PC drives, or other storage media. If, in exceptional cases, Personal Data is stored on a USB drive or similar, it must be protected and stored in cooperation with Baker Tilly Legal Law Firm’s IT department. For example, a password-protected and encrypted USB drive can be used. Otherwise, the USB drive must be stored in a locked drawer or cabinet. The same applies to other portable data media. All PCs at Baker Tilly Legal Law Firm have encrypted hard drives.

12.14.3 Employee information is stored on designated PCs in encrypted form.

12.14.4 Employees must not open a PC in large gatherings where it is possible to “look over the shoulder” and thereby gain access to Personal Data.

12.14.5 Employees are obliged not to back up e-mails to their own accounts with smartphone providers, such as iCloud, Samsung account, or similar.

12.15 Furthermore, Baker Tilly Legal Law Firm’s IT Security Policy applies.

13 BACKUP

13.1 Baker Tilly Legal Law Firm backs up all databases and files on shared drives every night. The backup is stored at an external data center.

13.2 We perform the following types of backups:

1) Rolling backup – With this method, a daily backup is taken of all file and data updates, creating a copy of all new data. This creates a history of changes, increasing the possibility of recovering lost data.

2) Clone backup – This backup strategy creates a perfect copy of each device on the network.

13.3 3) Offsite backup – This backup protects against data loss if the on-site backup is lost. All data and files are backed up, and the backup is stored offsite.

13.4 All backup data and files are overwritten at 30-day intervals. It is not technically possible to delete individual files from a backup before such overwriting occurs. This means that if you have requested Baker Tilly Legal Law Firm to delete your Personal Data, such data will be deleted in the live environment (see below) but will remain in the backup until that specific backup is overwritten after 30 days. Baker Tilly Legal Law Firm has implemented internal processes and procedures to ensure that your Personal Data is not reintroduced as live data by restoring from a backup, if your data has been deleted in accordance with your “right to be forgotten.”

14 COOKIES

14.1 We collect information about you in various ways in connection with the operation of bakertillylegal.dk. We obtain information about you on bakertillylegal.dk through so-called “cookies” and through registration and use of bakertillylegal.dk.

14.2 If we place cookies, you will be informed about their use and the purpose of collecting data via cookies. Before we place cookies on your device, we will request your consent. Necessary cookies for ensuring functionality and settings may be used without your consent.

14.3 You can find more information on our website about our use of cookies and how you can delete or reject them. If you wish to withdraw your consent, see the instructions in our cookie policy.

14.4 What is a cookie and similar technologies?

14.4.1 Cookies are small pieces of information that bakertillylegal.dk places on your computer’s hard drive, your tablet, or your smartphone. Cookies contain information that bakertillylegal.dk uses to make communication between you and your web browser more efficient. The cookie does not identify you as an individual user but identifies your computer.

14.4.2 There are two types of cookies—temporary cookies and permanent cookies. Temporary cookies are pieces of information that are deleted when you close your web browser. Permanent cookies are stored on your computer until deleted. Permanent cookies delete themselves after a certain period but are renewed each time you visit bakertillylegal.dk. Bakertillylegal.dk uses both temporary and permanent cookies.

14.4.3 We use similar technologies that store and read information in the browser or device and use local devices and local storage, such as HTML5 cookies, Flash, and other methods. These technologies may work across your browsers. In some cases, the use of these technologies cannot be controlled by the browser but requires a specific tool. We use these technologies to store information used to ensure the quality of our services and to detect irregularities in the use of bakertillylegal.dk.

14.4.4 When you visit bakertillylegal.dk for the first time, you automatically receive a cookie.

A cookie is a small text file stored in your web browser that registers you as a unique user. This cookie identifies our web server when you visit bakertillylegal.dk and records your use thereof.

14.4.5 A cookie may contain text, numbers, or, for example, a date, but no Personal Data is contained in a cookie. It is not a program and cannot contain viruses.

14.4.6 We use cookies to customize and create content and services that match your interests and preferences. We also use cookies to compile demographic and user-related statistics and thus determine in more detail who visits bakertillylegal.dk. We only register anonymous information such as IP numbers, number of bytes sent and received, Internet host, time, browser type, version, and language, etc.

14.5 What types of cookies do we use and for what purposes?

We use cookies for:

  • Statistics – Measuring traffic on bakertillylegal.dk, including the number of visits to bakertillylegal.dk, which domains the visitors come from, which pages they view on bakertillylegal.dk, and the general geographic area in which the user is located.
  • Improving functionality – Enhancing functionality and optimizing your experience of bakertillylegal.dk and helping you remember your username and password so you do not have to log in again when you return to bakertillylegal.dk.
  • Social media integration – Allowing you to integrate with social media such as Facebook.
  • Quality assurance – Ensuring the quality of our services and preventing misuse and irregularities in connection with the use of our services.
  • Targeted marketing – Displaying specific marketing on bakertillylegal.dk that we believe you will find interesting.

14.6 Third-party access

Baker Tilly Legal Law Firm grants access to its subcontractors to view the contents of the cookies set by bakertillylegal.dk. However, this information may only be used on behalf of Baker Tilly Legal Law Firm and may not be used for the subcontractor’s own purposes.

14.7 Third-party cookies

Our website uses cookies from the following third parties:

14.8 How to refuse the use of cookies

14.8.1 Most browsers allow you to delete cookies from your hard drive, block all cookies, or receive a warning before a cookie is stored. Please note that, in such cases, there may be services and features you cannot use because they require cookies to remember the choices you make. We hope you will allow the cookies we set, as they help us improve Baker Tilly Legal Law Firm.

14.9 How to delete cookies

14.9.1 You can always delete cookies stored on your computer.

Instructions are available for:

  • Internet Explorer
  • Mozilla Firefox
  • Google Chrome
  • Opera
  • Safari
  • Flash cookies
  • Apple
  • Android
  • Windows 7

14.10.1 Baker Tilly Legal Law Firm uses Google Analytics to analyze how users use bakertillylegal.dk. The information the cookie collects about your use (traffic data, including your IP address) is sent to and stored on Google’s servers in the USA. Google uses the information to evaluate your use of Baker Tilly Legal Law Firm, compile reports on activity on bakertillylegal.dk, and provide other services related to activity on bakertillylegal.dk and Internet usage. Google may also disclose the information to third parties if required by law or if a third party processes the information on Google’s behalf.

Google Analytics sets two types of cookies:
(a) A persistent cookie showing whether the user is a returning visitor, where the user came from, which search engine was used, keywords, etc.
(b) Session cookies used to show when and for how long a user is on the site. Session cookies expire after each session, i.e., when you close your tab or browser. Google does not combine your IP address with other information Google holds.

14.11 Most browsers allow you to delete cookies from Google Analytics. Read more about Google Analytics’ use of cookies.

14.11.1 By using bakertillylegal.dk, you consent to our use of cookies as described. If you no longer wish to consent to the use of cookies, you must opt out by changing your browser settings.

15 CHANGES TO THE PRIVACY POLICY

15.1 Baker Tilly Legal Law Firm may change this Privacy Policy at any time and without notice, with effect for the future. Baker Tilly Legal Law Firm’s new Privacy Policy will thereafter apply to your use of Baker Tilly Legal Law Firm.

16 INQUIRIES

16.1 If you have questions about this Privacy Policy, our processing of Personal Data, rectification, or your relationship with us in general, please feel free to contact us at the following address:

Baker Tilly Legal Advokatfirma P/S
CVR no.: 41330236
Poul Bundgaards Vej 1E
DK-2500 Valby
Denmark

E: info@bakertillylegal.dk 
W: www.bakertillylegal.dk

17 THE DANISH DATA PROTECTION AGENCY

17.1 You have the right to file a complaint with the Danish Data Protection Agency regarding Baker Tilly Legal Law Firm’s collection and processing of your Personal Data:

Datatilsynet
Borgergade 28, 5.
1300 Copenhagen K

Phone: +45 3319 3200
E-mail: dt@datatilsynet.dk
www.datatilsynet.dk

Now, for tomorrow
We believe in the strength of good relationships. Let’s meet the future together.
Contact us today