For cases concerning copyright infringement
1.1 NJORD Advokatpartnerselskab (”NJORD”, ”we”, “our” or ”us”) processes personal data as a natural part of the law firm’s client and case management.
1.2 This notice (the ”Personal Data Notice”) explains in detail what type of personal data NJORD processes as part of our prosecution of copyright infringements on behalf of our clients.
1.3 You are kindly requested to review the Personal Data Notice to understand how we manage personal data.
2. Data controller
2.1 NJORD is located in Copenhagen at Pilestræde 58, 1112 Copenhagen K, and in Århus at Åboulevarden 17, 8000 Århus C.
2.2 We represent film producers (the ”Rights Holders”) with a view to stop and prosecute copyright infringement.
2.3 As a law firm, we are data controllers of the personal data received by us as a part of the case management.
2.4 All data are stored on secure servers in Denmark.
3. Data processed by us
3.1 Initially, we collect the IP address and time and place of the copyright infringement, including the film title in question. The collection takes place by an independent third party, who can track and monitor data traffic, including identify IP addresses illegally downloading or sharing files.
3.2 Subsequently, we collect name and address of the owner of the internet connection to which the IP address belongs. The collection takes place through the owner’s internet provider, who is imposed to provide the personal data based on a court order. If necessary, we collect additional information about the owner of the IP address from publicly available sources.
3.3 When we have collected data about an illegal activity, we send a letter to the owner of the IP address with a view to prosecute the activity on behalf of the Rights Holders. If we receive additional personal data via the correspondence (e.g. an email address), we will also be processing such data as part of the case management.
3.4 Generally, we consider the owner of the IP address and the person who has infringed the copyrights as one and the same person. We continue to do so until proved otherwise.
4. Basis for the processing
4.1 Personal data processed by us are limited to what is strictly necessary to investigate and prosecute infringement of copyrights.
4.2 Generally, we consider all data as personal data pursuant to the General Data Protection Regulation (the “GDPR”), which we are processing based on the Rights Holders’ legitimate interests in prosecuting illegal downloading and file sharing, see Article 6(1)(f) of the GDPR.
4.3 To the extent that the details of the case concern special categories of data (sensitive data) as a rare exception, we are processing such data based on the Rights Holders’ interest in establishing and exercising a legal claim, see Article 9(2)(f) of the GDPR.
4.4 We are aware that our processing of personal data in these cases imply that data appear as a very specific reasonable suspicion of a criminal offence which may be covered by Article 10 of the GDPR. Therefore, our standard procedure follows the common procedure pursuant to the rules of professional conduct and the Danish Administration of Justice Act in connection with the proceedings in court. It means that the recipients of our letters are always presented with the facts of the case at the criminal offence, so that it is possible to reply to our letter on the basis of an informed choice.
If personal data are processed by us as part of our compliance with legal obligations, including, for example, the Code of Conduct of the Danish Bar and Law Society, the Danish Consolidated Bookkeeping Act, etc., we process the necessary personal data with reference to Article 6(1)(c) of the GDPR, i.e. where processing is necessary for compliance with a legal obligation.
5.1 Personal data are disclosed to third parties where it is relevant for the management or completion of a case, or where NJORD is required to do so. Such disclosure may include e.g. the parties to the case and public authorities, including the police, SKAT [the Danish Tax Authorities] and the courts. These parties are independent data controllers.
5.2 NJORD also uses data processors that provide various kinds of services. For example, IT support and IT infrastructure. Any type of data processing takes place according to a written agreement, which ensures full compliance with applicable rules.
6. Erasure of personal data
6.1 We erase all case related data five years after the conclusion of the case. A case may be concluded when we consider that there is no basis for a claim against you, or when a lawsuit is finally settled, or when a settlement has been met. The time limit for erasure is fixed taking into account that NJORD as a law firm is obliged to store files for minimum five years pursuant to the Code of Conduct of the Danish Bar and Law Society and Section 126(1) of the Danish Administration of Justice Act.
7.1 All our employees are subject to strict confidentiality pursuant to their employment and the statutory duty of confidentiality for lawyers pursuant to Section 126(1) of the Danish Administration of Justice Act.
8.1 As a data subject, you have a number of rights when NJORD processes your personal data, including the right of access, the right to rectification, erasure and restriction and the right to make a complaint.
8.2 If you want to exercise one or more of your rights, you are welcome to contact us at any time, and we will answer your request within 30 days.
8.3 We kindly ask you to be specific and serious when you contact us. If your request is manifestly unfounded or excessive, we reserve our right to refuse to act on your request or charge an administration fee for taking action. This may be the case in the event of harassment or repetitive requests.
8.4 As data controllers we need to ensure that we do not disclose personal data to unauthorised persons. Therefore, we need to ensure that you are the person that you purport to be. To exercise your data protection rights, you are thus required to prove your identity by sending your request together with a copy of a valid picture ID and proof of address, for example by sending us a copy of your passport or your driver’s licence together with your national health insurance card. We offer highly encrypted email reception via SEPO tunnel encryption, but no other encryption solutions. If you do not want to use standard email encryption in accordance with your and our internet provider’s standards, you can use ordinary mail.
8.5 Please note that we reserve our right to refuse your request if you do not adequately prove your identity. After 30 days without authentication, your request will automatically lapse.
8.6 Before submitting your request, it may be useful to read through the below FAQ.
9. FAQ on data rights
9.1 Right of access
You have the right of access to personal data concerning you collected by us, if it does not violate the rights of others.
It means that you can always get access to your name, address, the IP address that the infringement is registered on, the date of infringement and the title of the infringed publication in question. Most of this information already appears from the letter you have received from us.
If you request further access, you can obtain some technical data concerning the infringement called hash value and swarm size. All data will be provided electronically by email when you have proven your identity, see sub-clause 8.4.
We are entitled to exclude some of your personal data from your right of access due to the fact that we are preparing a case against you and thereby safeguarding the Rights Holders’ legitimate interests and protecting their rights through the enforcement of a civil law claim, see Section 22(2)(10) of the Danish Data Protection Act.
9.2 Can I obtain a copy of my case file?
You cannot obtain your entire case file or the individual documents of the case.
We cannot provide you with these documents since we are preparing a case against you and thereby safeguarding the Rights Holders’ legitimate interests and protecting their rights. Nor do we want to disclose the names of our case managers or of other case managers involved in order not to affect the freedoms of others.
We refer to Article 15(4) of the GDPR, according to which the right to obtain a copy must not adversely affect the rights and freedoms of others, and to Section 22(2)(10) of the Danish Data Protection Act, according to which the right of access, overridden by essential considerations of private interests, shall not apply to the enforcement of civil claims.
9.3 Can I get right of access pursuant to the Danish Act on Access to Public Administrative Documents?
NJORD is a private enterprise, which means that we are not subject to rules on access according to administrative law. Thus, you have no right of access pursuant to the Danish Act on Access to Public Administrative Documents. Your right of access is only pursuant to the data protection rules.
9.4 Can I have my data erased?
You have no right to have your personal data processed by us erased since our processing takes place as part of a prosecution of a criminal offence.
We would like to point out that you cannot exercise your data protection rights in contravention of the rights of others – in this case, the Rights Holders’ legitimate interests in prosecuting the infringement of copyrights, see Article 17(3)(e) of the GDPR, according to which the obligation to erase does not apply to the extent that the processing is necessary for the establishment, exercise or defence of legal claims.
When your case is concluded – whether by settlement, judgment or otherwise – we will store your case file for five years after the conclusion in accordance with our legal obligations pursuant to the Code of Conduct of the Danish Bar and Law Society and Section 126(1) of the Danish Administration of Justice Act. We refer to Article 17(3)(b) of the GDPR, according to which the obligation to erase does not apply to the extent that the processing is necessary for compliance with a legal obligation.
9.5 Can I have my personal data rectified?
You have the right to obtain rectification of inaccurate personal data concerning you.
You can at any time ask us to rectify your basic data, such as your name and address. Anything you want rectified must be documented by you.
You cannot rectify data concerning the criminal offence, unless we share your perception of a given fact. We assess the case based on the Danish legal system’s standards for the production of evidence during legal actions, and obviously we cannot preclude evidence based on your statements. We safeguard the Rights Holders’ legitimate interests in prosecuting infringement of copyrights, and the legal system ensures your opportunity to safeguard your interests, including to prove the facts of the case.
10. Contact and complaint
10.1 If you want to contact us, including to make a complaint about our processing of your personal data, please contact:
1112 Copenhagen K
Telephone: (+45) 28 11 58 52 39
10.2 If, upon assessment of your complaint, we have not been able to comply with your objection, you can lodge a complaint with the Danish Data Protection Agency.