This is how we handle your personal data

The relevant personal data rules currently applicable for our processing of personal data are laid down in the General Data Protection Regulation (Regulation no. 2016/679 of 27 April 2016) and the Danish Data Protection Act (Act no. 502 of 23 May 2018).

Our data protection policy relates to our processing of personal data as data controller. We are the data controller in a number of situations, such as when we handle client matters, when we engage new employees and in connection with marketing activities.

1. Whose personal data do we process?

Poul Schmith protects and processes the personal data of our clients, opponents, suppliers, employees, partners, the users of our website and recipients of marketing information etc. in accordance with the law on processing of personal data as applicable at any time.

2. What personal data do we process?

"Personal data" includes any information relating to an identifiable natural person, such as the person's name, e-mail address, personal identification number (CPR number) and address, and to factors specific to the physical, physiological, financial, cultural or social identity of that person. Data on legal persons are not included in the definition of "personal data".

Depending on the nature of the case or inquiry, we process general data, identification data (CPR number), data on criminal offences and sensitive data.

3. Where do the data come from?

We collect personal data directly from you or from a third party, such as clients, public authorities or partners.

4. How do we process the data?

"Processing" of personal data covers any activity involving personal data, such as collection, recording, structuring, organisation, storage, adaptation, alteration, consultation, use or disclosure.

We primarily process personal data about our clients, opponents, suppliers, employees and partners, but only to the extent necessary for the specific purpose and if there is a legal basis for doing so.

In most cases, we need to process general personal data, such as name, title, telephone number and e-mail address. The processing is necessary to enable us to deliver our legal services, submit invoices and perform quality assurance and audit and to comply with the requirements for documentation of identity under the Anti-Money Laundering Act to which we are subject in many matters.

In addition, it may in certain situations be necessary for us to process data on criminal offences and to process sensitive data such as data concerning health.

5. Use of artificial intelligence in our legal matter handling

We may use tools based on artificial intelligence (“AI tools”) in our legal matter handling for support, for example for legal research, document analysis, transcription, translation and structuring of information. AI tools are used solely as a supporting tool.

No automated decisions are made about you within the meaning of Article 22 of the General Data Protection Regulation. All assessments and decisions, including the legal advice provided to the client, are made by our employees who professionally assess and validate the results originating from AI tools.

When we use AI tools, personal data are processed in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Danish Data Protection Act. We comply with the principles of purpose limitation and data minimisation, see GDPR Article 5(1)(b) and (c), by only processing the personal data in the AI solutions that are necessary for the specific task. We implement appropriate technical and organisational security measures, see Article 32, taking into account the nature of the data that we process and the risks involved.

If we use external providers of AI tools (for example hosting providers or specialised AI services) as data processors, we enter into data processing agreements in compliance with GDPR Article 28. We ensure that these providers only process personal data according to our instructions and do not use the data for their own purposes, including for training of general models, unless this has been specifically agreed and communicated or is required by mandatory legislation.

6. To whom do we disclose your personal data?

We only disclose your personal data to external parties if necessary and if there is a legal basis for doing so. External parties may be public authorities, private businesses or persons, foundations, associations, etc., depending on the nature of the matter. In addition, we pass on data to our data processors (e.g. IT suppliers).

Our employees may perform work from workplaces located outside the EU/EEA. Such access takes place solely as part of internal processing within Poul Schmith, which acts as an independent Danish data controller, and does not constitute a disclosure of personal data or a transfer to third countries.

Internally, only employees with a work-related need to see your personal data will be able to access the data.

7. What is the legal basis for our processing of your data?

We collect and process personal data on the following legal basis:
In connection with supply of legal services, we process data on clients, opponents and business partners under the authority of Article 6(1), point (f) of the General Data Protection Regulation (the legitimate interests rule) and Article 9(2), point (f) of the General Data Protection Regulation. This is based among other things on a legitimate interest in establishing, exercising or defending legal claims and in safeguarding the interests of our clients. We also process personal data on our clients under the authority of Article 6(1), point (b) of the General Data Protection Regulation where the processing is necessary for concluding and performing the contract on legal assistance.

We process personal data on participants in courses, training sessions and other events under the authority of Article 6(1), point (b) or Article 6(1), point (f) of the General Data Protection Regulation for the primary purpose of registering the participants, managing the event and issuing relevant course material, evaluation forms etc.

We only process your personal data for marketing purposes and for newsletters if you have given your explicit consent. The processing thus takes place under the authority of Article 6(1), point (a) of the General Data Protection Regulation. We publish personal data on employees or similar on our website and on social media platforms under the authority of Article 6(1), point (f) of the General Data Protection Regulation as part of our legitimate interest in making the content available to our users.

In general, we process personal data when the processing is necessary for compliance with a legal obligation (e.g. under the Anti-Money Laundering Act). This is authorised under Article 6(1), point (c) of the General Data Protection Regulation. We process data on criminal convictions and offences under the authority of Article 10 of the General Data Protection Regulation and section 8 of the Danish Data Protection Act (databeskyttelsesloven). We process CPR numbers (personal identification numbers) under the authority of section 11(2) of the Danish Data Protection Act.

For the purpose of preventing vandalism and burglaries etc., we carry out CCTV surveillance of entrance doors, reception areas, corridors, common areas etc. This is authorised under Article 6(1), point (f) of the General Data Protection Regulation and section 8 of the Danish Data Protection Act based on security interests and considerations and takes place within the framework of the Danish Act on TV Surveillance (tv-overvågningsloven).

8. When do we delete your data?

We will delete your personal data recorded with us when they are no longer necessary for the purpose(s) for which they were collected or processed.

We have internal guidelines for the period of storage of all categories of personal data. The guidelines are determined in accordance with the obligations to which we are subject under applicable law, including documentation and auditing requirements.

9. What are your rights?

You have certain rights under the data protection rules in relation to our processing of data about you.

If you wish to exercise any of those rights, please contact us. You have the following rights:

The right to see the data (right of access)

You are entitled to access the data that we process about you and certain other information.

Right of rectification (correction)

You are entitled to have incorrect data about you corrected.

Right of erasure

In special circumstances you are entitled to have data about you erased before the time of our generally scheduled erasure.

Right of restriction of processing

You are in certain circumstances entitled to restriction of processing of your personal data.

Right to object

You are in certain circumstances entitled to object to our otherwise lawful processing of your personal data.

Right to data portability 

You are in certain circumstances entitled to receive personal data in a structured, commonly used and machine-readable format and to transmit those data to another controller.

Right to withdraw consent

Where our processing of your personal data is based on your consent, you are entitled to withdraw your consent at any time. You may do so by contacting us as specified below.

If you choose to withdraw your consent, this will not affect the lawfulness of our processing of your personal data on the basis of your previous consent until the time of the withdrawal. If you withdraw your consent, this will only take effect at the time of the withdrawal.

You can read more about your rights in the Danish Data Protection Agency's guide to the rights of data subjects, available at www.datatilsynet.dk.

10. Contact us

You may contact us if you wish to exercise any of your rights as described in paragraph 9 above, if you wish to complain, or if you have any other questions in relation to our personal data policy.

In this connection, please write to your closest contact person with us or as follows:

Poul Schmith
Kalvebod Brygge 32
DK-1560 Copenhagen V
Telephone: + 45 33 15 20 10
E-mail: GDPRrequests@poulschmith.com

11. Complaint to the Danish Data Protection Agency

You may also complain to the Danish Data Protection Agency about our processing of your personal data. See for more information www.datatilsynet.dk.

12. Changes to our data protection policy

Our data protection policy was last updated on June 9th 2026 and will be regularly updated.