Privacy Statement
LAST UPDATED: December 2025
This Privacy Statement explains how Nor Law processes information that identifies you as an individual or relates to you as an identifiable individual. We call this “personal data”. We process Personal Data of our clients, prospects, suppliers, third parties and website visitors as described below.
Please note that if you disclose any personal data relating to other people to us, such as of your employees, you represent that you have the authority to do so and permit us to use the information in accordance with this Privacy Statement.
Clients
The below table describes our processing activities of clients. Unless stated otherwise, we do not receive this information from third party sources.
Purpose | Personal data categories | Legal basis |
Providing legal services |
| Performing the contract we have with you for the provision of legal services |
Conflict check |
| We have a legal and ethical obligation to ensure that we do not have a conflict of interest when we represent you. |
Managing invoices/payments (including (legal) enforcement thereof) |
| Performing the contract we have with you for the provision of legal services. |
Complying with our legal obligations (such as in relation to client background/KYC checks) |
| We have a legal obligation to identify our clients, or to report suspicious transactions/activities |
Marketing activities (e.g., invitations to webinars, newsletters, managing conferences, visits and other events) |
| We have a legitimate interest to advertise our services to clients and interested parties. |
Suppliers
The below table describes our processing activities of our suppliers. Unless stated otherwise, we do not receive this information from third party sources.
| Purpose | Personal data categories | Legal basis |
| Obtaining services and making associated payments |
| Performing the contract we have with you. |
Third parties
The below table describes our processing activities of third parties, such as prospective clients, colleagues from other firms, opposing parties, individuals employed by our clients, business partners and other contacts. Unless stated otherwise, we do not receive this information from third party sources.
| Purpose | Personal data categories | Legal basis |
| Providing legal services |
| Performing the contract we have with our client. |
| Participation in (business) associations, creating and/or expanding our (business) network | Name and contact details | We have a legitimate interest to process personal data of partners, local counsel, business contacts, or individuals that are part of the same (business) association |
| Marketing activities (e.g., invitations to webinars, newsletters, managing conferences, visits and other events) |
|
|
Other purposes for processing
We may process personal data as necessary and relevant for the following general purposes:
| Purpose | Legal basis | |
| Performing and allowing for audits or other checks | We have a legal obligation to audit our processes and to assist supervisory authorities, such as the President of the Local Bar, with audits performed to supervise our compliance with the law. | |
| Dispute resolution | We have a legitimate interest to enforce our contracts and terms and conditions, pursue available legal remedies, defend claims and limit the damages that we may sustain. | |
| Responding to requests |
|
|
Disclosures of personal data
We disclose personal data to the following recipients:
- IT service providers and related infrastructure service providers (including email delivery service providers, invoicing software);
- Business partners (such as legal professionals, local counsel and other law firms) and service providers (such as translation agencies, bailiffs, subject-matter experts or other experts) as necessary for the provision of legal services;
- Third persons (legal or natural), as relevant for the specific legal action and/or processes in question (such as lawyers, experts, auditors, insurers, advisory firms, etc.);
- Judges, opposing parties, and other parties involved in our client matter (e.g., mediators), as necessary for the provision of our legal services or the legal proceedings;
- The President of the Local Bar, if and when requested;
- Professional advisors, such as accountants, lawyers, banks, and financial institutions.
- Public and/or government and/or regulatory authorities, including courts, tribunals, regulators, tax authorities and other government authorities;
- Third parties in the event of any reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings). You will be notified of any such business transaction and of possible changes to the processing of your personal data in accordance with applicable law.
Security
We seek to use reasonable organizational, technical, and administrative measures to protect personal data within our organization. Unfortunately, no data transmission or storage system can guarantee 100% security. If you have reason to believe that your personal data with us is no longer secure, please notify us immediately in accordance with the “Contacting Us” section below.
Individuals’ rights
You have certain rights under the General Data Protection Regulation in relation to our processing of your personal data. These rights are listed below and are subject to conditions and exceptions in accordance with the GDPR and national implementation laws. You may:
- Request access to your personal data;
- Request us to correct or update your personal data;
- Request us to restrict the processing of your personal data;
- Request us to delete your personal data;
- Request a copy of your personal data for purposes of transmitting it to another company;
- Object to our processing of your personal data;
- Withdraw your consent (which will not affect the lawfulness of processing prior to the withdrawal);
- Lodge a complaint with an EU/EEA data protection authority for your country or region where you have your habitual residence or place of work or where an alleged infringement of applicable data protection law occurs. A list of data protection authorities is available here.
You can submit your request by contacting info@norlaw.nl and we will provide you with a response within one month.
Retention period
We will retain your personal data for the period necessary to fulfill the purposes outlined in this Privacy Statement unless a longer retention period is required or permitted by law, for example, for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
The criteria used to determine our retention periods include (i) the length of time we have an ongoing relationship with you (for example, for as long as you are a client or supplier of us); (ii) whether there is a legal obligation to which we are subject (for example, certain laws (or bar rules) require us to keep your client file and records of your transactions for a certain period of time before we can delete them); or (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).
Third party services
This Privacy Statement does not address, and we are not responsible for, the privacy, information, or other practices of any third parties, including any third party operating any website or service to which we link. The inclusion of a link does not imply endorsement of the linked site or service by us.
Third party payment service
We provide functionality allowing our clients to make online payments to us using third party payment services (such as Pay or Mollie). When you use such a service to make a payment to us, your personal data will be collected by such third party and not by us, and will be subject to the third party’s privacy policy, rather than this Privacy Statement. We have no control over, and are not responsible for, this third party’s collection, use, and disclosure of your personal data.
Jurisdiction and cross-border transfer
Your personal data may be stored and processed outside of the European Economic Area (EEA). For such transfers, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- Adequacy Decisions: Some non-EEA countries are recognized by the European Commission as providing an adequate level of data protection according to EEA standards (the full list of these countries is available here).
- Standard Contractual Clauses: For transfers of personal data from the EEA to third countries where personal data is transferred, which are not considered adequate by the European Commission, we have put in place standard contractual clauses adopted by the European Commission to protect your personal data. You may obtain a copy of these measures by contacting us in accordance with the “Contacting us” section below or by following this link.
Updates to this Privacy Statement
The “Last Updated” legend at the top of this Privacy Statement indicates when this Privacy Statement was last revised. Any changes will become effective when we post the revised Privacy Statement on the website.