Privacy policy for clients

LEX ehf.
Borgartúni 26
105 Reykjavík
Tel.: (+354) 590 2600
Email: lex@lex.is
Data Protection Officer: Lára Herborg Ólafsdóttir, personuvernd@lex.is

LEX ehf. (LEX) strives to ensure the protection of personal data and that the processing of personal data is in compliance with applicable laws and regulations. This privacy policy applies to the collection and processing of personal data regarding LEX‘s clients. The purpose of this privacy policy is to inform clients how and why personal data is collected and how it is processed. This privacy policy is based on Act no. 90/2018 on Data Protection and the Processing of Personal Data.

What personal data does LEX collect?

Personal data means any information relating to an identified or identifiable person. An identifiable person is one who can be identified, directly or indirectly, such as by reference to an identifier such as name, ID number, location data, an online identifier or to one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Processing of personal data means any operation or set of operations where personal data is processed, whether or not by automated means.
LEX collects various types of personal data from its clients and their representatives (data subjects). These types of personal data may include:

  • Names
  • ID numbers
  • Email addresses
  • Phone numbers
  • Addresses
  • Financial information, such as bank account information
  • Photographs
  • Sound and/or video recordings
  • Sensitive personal data, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health, a person‘s sex life or sexual orientation, genetic data and biometric data, if the processing of such information is necessary for the provision of services to the client.

Where does personal data originate from?

In most cases, clients‘, or their representatives‘, personal data is collected directly from clients. Examples of such data collection are:

  • When clients provide LEX with data in connection with the provision of services;
  • When clients contact LEX.

In some cases, personal data is collected from third parties, such as Registers Iceland, credit information agencies, courts and other public bodies.

For which purposes does LEX process personal data?

LEX processes personal data to provide its legal services to clients, e.g.:

  • To identify and contact clients. This processing is necessary for the performance of a contract between LEX and the client. According to the Codex Ethicus for the Icelandic Bar Association, which LEX adheres to in all respects,  and by national law LEX is required to identify its clients.
  • To prevent conflicts of interest. LEX‘s lawyers are required by law to perform their tasks with due care and use their best efforts in the services of their clients‘ interests.
  • To perform legal services for clients, including litigation before the courts. This processing for the performance of a contract between LEX and the client.
  • To maintain records of client‘s cases which contain information on clients and their representatives. This processing necessary for LEX‘ legitimate business interests to keep organised and structured records of the firm‘s cases;
  • To make statistical or other operational analyses for in-house purposes, for business development or other similar purposes. This processing is based to LEX’ legitimate interests to continuously develop and improve its services.
  • To accept payments from clients and make other similar financial arrangements.
  • When individuals contact LEX through its website or by email, they are considered to having consented to the collection and processing of personal data which they may have submitted during such communication.

How does LEX store personal data?

LEX stores personal data in a secure manner and in compliance with applicable laws and regulations. Technical and organisational measures have been taken to protect clients‘ and their representatives‘ personal data from e.g. destruction and unauthorised access. The use of access controls ensures that employees have a need-to-know access to the firm’s cases. LEX never stores clients‘ personal data outside the EEA.

LEX retains personal data regarding its clients and their representatives as long as necessary to fulfill the purpose for which it was collected. Clients‘ data are categorised into case files in accordance with tasks clients have assigned to LEX, both in and out of courts. Generally, LEX retains data relating to cases, which may include personal data, no longer than ten years from the date the case file is closed by LEX, provided that the firm is not required by law or for another apposite reason to retain the data for a longer period. Accounting records in connection with LEX‘s provision of services to its clients are retained for a period of seven years from the closure of the accounting year in question, in accordance with the Accounting Act no. 145/1994.

Recipients of personal data

LEX does not transfer client data to third parties except with their explicit consent, for the purpose of fulfilling a contract between LEX and the client or in the case of a legal obligation. Notwithstanding the foregoing, LEX may transfer client data to its third party service providers, e.g. providers of software which is used at LEX. These third party service providers are bound by confidentiality.
LEX does not transfer client data to third parties located outside the EEA unless permitted to do so according to applicable data protection law and regulations.

LEX may transfer client data to law enforcement authorities and other competent third parties if obliged to do so by law or regarding legal claims.

Rights of data subjects

Data subjects, i.e. clients and their representatives, have the right to obtain information on and access to their personal data from LEX. They have the right to withdraw their consent for the processing of personal data that is based on the data subject‘s consent. Data subjects also have the right to request the rectification or erasure of their personal data as well as the restriction of processing. In certain circumstances, data subjects have the right to request the transmission of their data which they have provided to LEX to another controller. The aforementioned rights may be subject to restrictions according to applicable laws and regulations.

Where personal data have not been obtained from the data subject, the data subject has the right to information regarding which source the personal data originate from.

If clients or their representatives wish to receive further information or exercise their rights they are advised to contact LEX’ Data Protection Officer, by Email at personuvernd@lex.is or by telephone at (+354) 590-2600.

Data subjects have the right to lodge a complaint with a supervisory authority, Persónuvernd in Iceland, if they believe that LEX has not respected their rights in relation to the processing of their personal data.

Changes

LEX reserves the right to make changes to this privacy policy as needed. Any material changes that are made to this privacy policy will be announced. The latest version of the privacy policy may always be accessed on LEX’ website.

This Privacy Policy was adopted on 23 August 2018 and updated on 12 December 2023

Privacy policy for job applicants

LEX ehf.
Borgartúni 26
105 Reykjavík
Tel.: (+354) 590 2600
Email: lex@lex.is
Data Protection Officer: Lára Herborg Ólafsdóttir, personuvernd@lex.is

LEX ehf. (LEX) strives to ensure the protection of personal data and that the processing of personal data is in compliance with applicable laws and regulations. This privacy policy applies to the collection and processing of personal data concerning job applications that are submitted to LEX. The purpose of this privacy policy is to inform job applicants how and why personal data is collected and how it is processed. This privacy policy is based on Act No. 90/2018 on Data Protection and the Processing of Personal Data.

What personal data does LEX collect?

Personal data means any information relating to an identified or identifiable person. An identifiable person is one who can be identified, directly or indirectly, such as by reference to an identifier such as name, ID number, location data, an online identifier or to one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Processing of personal data means any operation or set of operations where personal data is processed, whether or not by automated means.
LEX collects various types of personal data from job applicants (data subjects). These types of personal data may include:

  • Names
  • Email addresses
  • Phone numbers
  • Addresses
  • Photographs
  • Career history
  • Education information
  • Any other personal data the applicant may choose to share with LEX or made public by the applicant, such as hobbies and interests.

Where does personal data originate from?

In most cases, personal data is collected directly from the data subjects when they submit their applications and accompanying documents to LEX. Applications may be submitted electronically via Email or on paper. In some cases, personal data comes from third parties, e.g. references from former employers. Sometimes, LEX utilises the services of recruiting agencies in the hiring process. In such cases, the recruiting agency in question may send applications to LEX.

For which purposes does LEX process personal data?

LEX processes job applicants‘ personal data in the hiring process to evaluate their competencies and whether they are suited for a position at LEX, including:

  • To identify applicants.
  • To contact applicants.
  • To verify references and whether information the applicants provide to LEX is correct.
  • To evaluate whether applicants are suited for a position at LEX.

Applicants are considered to have consented to LEX‘ collection and processing of their personal data in the hiring process by submitting their application, provided that their information is not used for any other purpose than to evaluate their competencies and whether they are suited for a position at LEX.

How does LEX store personal data?

Personal data is stored in LEX‘s database in a secure manner and in compliance with applicable laws and regulations. Technical and organisational measures have been taken to pro-tect applicants‘ personal data from e.g. destruction and unauthorised access. Job applicants’ personal data is never stored outside the EEA.

Only those persons at LEX who are involved in each hiring process have access to job applications and personal data contained therein. Job applications are stored in LEX‘s database so that applicants may be contacted if they are being considered for a position. If an application does not lead to employment at LEX, the application is generally deleted after the hiring process. Notwithstanding the foregoing, LEX reserves the right to store job applications for a period of up to 12 months for the purpose of contacting the applicant in question for a suitable position at LEX at a later stage. If an applicant does not want LEX to continue to store the application, the applicant may object to such continued storage by notifying LEX. If the hiring process leads to employment, LEX may store the successful applicant‘s application for the duration of the employment or as described in LEX‘s privacy policy for employees.

Recipients of personal data

Only those employees who are involved in each hiring process have access to job applications and personal data contained therein.
Sometimes, LEX utilises the services of recruiting agencies in the hiring process, in which case application data may be transferred to the recruiting agency in question.
LEX may transfer applicants’ data to its third party service providers, e.g. providers of soft-ware which is used at LEX. These third party service providers are bound by confidentiality.
LEX may furthermore transfer client data to law enforcement authorities and other competent third parties, if obliged to do so by law or regarding legal claims.

Rights of data subjects

Data subjects, i.e. job applicants, have the right to obtain information on and access to their personal data from LEX. They have the right to withdraw their consent for the processing of personal data that is based on the data subject‘s consent. Data subjects also have the right to request the rectification or erasure of their personal data as well as the restriction of processing. In certain circumstances, data subjects have the right to request the transmission of their data which they have provided to LEX to another controller. The aforementioned rights may be subject to restrictions according to applicable law and regulations.
Where personal data have not been obtained from the data subject, the data subject has the right to information regarding which source the personal data originate from.

If data subjects wish to receive further information or exercise their rights they are advised to contact LEX’ Data Protection Officer, Lára Herborg Ólafsdóttir, by email at personuvernd@lex.is or by telephone at (+354) 590-2600.

Data subjects have the right to lodge a complaint with a supervisory authority, Persónuvernd in Iceland, if they believe that LEX has not respected their rights in relation to the processing of their personal data.

Changes

LEX reserves the right to make changes to this privacy policy as needed. Any material changes that are made to this privacy policy will be announced. The latest version of the privacy policy may always be accessed on LEX’ website.

This Privacy Policy was adopted on 23 August 2018 and updated on 12 December 2023