top of page

Privacy Policy

At Sp/f Eli Thorsteinsson advokatur (hereinafter referred to as the Company), data security and confidentiality are highly prioritized. In this privacy policy, you can read about how the Company processes the information it receives about you when you, as a customer of the Company, use the services offered by the Company.

Data Controller

The Company is the data controller for the processing of your personal data. The legal information about the Company is as follows:

Sp/f Eli Thorsteinsson advokatur

Børkugøta 12, FO-100 Tórshavn

Mobile: +298 590989


Faroese TIN: 648760 / Company 7524

The Company as Data Processor

In certain cases, the Company may act as a data processor for a customer, for example, if the Company manages a whistleblower system for an association or a company, or if the Company provides electronic platforms, such as electronic data rooms for mergers and acquisitions, for bidding on goods and services, etc.

When the Company acts as a data processor, it operates in accordance with the guidelines from the data controller and pursuant to a specific data processing agreement. In such cases, this privacy policy does not apply.

Purpose of Processing and Categories of Personal Data

In connection with the provision of services, the Company may process the following information about you:

Legal Services and Tasks

If you are a customer of the Company or a potential customer, personal data about you are processed to provide you with legal services in order to fulfill or comply with the agreement that the Company has entered into with you or the customer you represent.

Company-related information is usually not covered by data protection law, but the Company may, under certain circumstances, process your collaboration, contact details, and professional information, including name, email address, phone number, address, position, education, and our business connection. Additionally, the Company processes information about financial matters, including payment details and tax information. The legal basis for processing can be found in Section 8(1), No. 2 of the Data Protection Act, as the processing is necessary to fulfill a contract with the customer or as part of the customer's request before a potential contract is concluded.

The Company may also process sensitive personal data depending on the specific circumstances of the case or cases in which the Company assists the customer, provided that the data subject has given explicit consent, for example, if the processing is necessary to establish, assert, or defend legal claims. Processing may also take place if it is necessary to pursue legitimate interests, and these interests outweigh the data subject's interests, rights, or freedoms. Disclosure without consent can only occur when the disclosure concerns private or general interests that clearly outweigh the interests requiring confidentiality.

As the Company is a law firm, it is subject to obligations under the Anti-Money Laundering Act in connection with some of the legal services it provides. In this context, personal data are also processed, including identity information such as name, personal identification number, passport number, etc. The Company only processes identity information obtained with reference to the Anti-Money Laundering Act to fulfill obligations under this law and not for commercial purposes. The legal basis for processing is the Anti-Money Laundering Act as a whole.


If you sign up for a course organized by the Company, the Company may process your personal information in this context. The Company processes your name, position, workplace, email address, and address in connection with this. The legal basis for processing can be found in Section 8(1), No. 2 of the Data Protection Act. This information is stored for 9 years.

In connection with the planning of courses, the Company may disclose your personal information to relevant partners. This could include providers of webinar solutions or instructors outside the Company. Information about partners in connection with specific courses and similar events will normally be available when you sign up.


The Company does not produce or send newsletters or similar directly to recipients. If the Company begins to offer such a service in the future, this policy will be updated accordingly.


If the Company wishes to use your personal information for marketing, consent will always be obtained in accordance with the provisions of the Data Protection Act. The legal basis for processing in that case can be found in Section 8(1), No. 1 of the Data Protection Act. It will always be possible to revoke a given consent.

Website and Cookies

The Company's website currently does not have features or tools that require the processing of personal information. 

However the website, that is made on the website-platform, contains cookies that are essential for the functioning of the website. However, the Company does not store personal information about you as a visitor to the website, and you cannot be tracked via these cookies. Read more about which cookies the website uses at the bottom of this page. 

A cookie is a small text file sent from our web servers and stored by your internet browser. There are two types of cookies, regular cookies, and session cookies. Session cookies expire when you close your browser, and therefore nothing is stored on your computer. Regular cookies are stored on your computer for a longer period.

If you do not wish to accept cookies, your browser can be set not to store cookies, or you can be informed each time a website requests to store a cookie. You can always manually delete cookies from your hard drive. You can also delete previously stored cookies via the browser. See the help page in your browser for more information. If you do not accept cookies, it may result in limited functionality on several websites.

Social Media - Company Pages on LinkedIn and Facebook

The Company is active on social media. Currently, the Company has a company page on LinkedIn and one on Facebook. If this changes, this policy will be updated accordingly.

When you interact with the Company on these pages on LinkedIn and Facebook, you make information available to the Company and the respective social media platform, for example, when you react to the Company's posts, write comments, and share content, as well as when the Company processes information about you "liking" the company page or following the Company on social media. Additionally, general information about you, such as identity information, contact details, etc., is processed. The purpose of the processing is to market the Company on the respective social media platform.

The legal basis for the processing can be found in Section 8(1), No. 6 of the Data Protection Act, and the Company's legitimate interest in marketing itself as a law firm on social media, including making customers and potential future customers aware of relevant content and news.

By using these two social media platforms, the respective social media platforms themselves use the information collected via the Company's page, and the Company and LinkedIn and Facebook respectively can be considered joint data controllers for the processing of this information.

You can read more about joint data controllership, responsibility allocation, processing, etc. with LinkedIn here: and with Facebook here:


Information on social media is usually deleted when the Company deletes a post, or when you delete your comment, share, reaction, or stop "liking" or following the Company on social media.


In certain cases, your company shares your personal data with partners and suppliers, such as IT suppliers. These parties only process your personal data on behalf of the company and in accordance with the company's guidelines.

The company may also disclose your personal data to external third parties if required by the company, or as part of the service to the customer. This could include, for example, the police, tax authorities, other public authorities, courts, probate courts, other law firms, counterparties in legal proceedings, as well as external partners such as instructors.

In connection with the company's receipt of client funds in a client account, the company is sometimes obligated to disclose information about the customer to the financial institution so it can fulfill the obligations imposed on the financial institution in the Anti-Money Laundering Act.

Third Countries

The company does not transfer your personal data to third countries (i.e., countries outside the EU/EEA), unless necessary in the specific case. This could occur, for example, because the company, in advising you as a customer, needs to obtain external advice, such as external connections/collaborating lawyers, financial advisors, other consultants, financial institutions, insurance companies, etc., to provide the desired advice. In this context, it may also be necessary to involve the relevant foreign authorities.

Such transfer of your personal data will take place in accordance with Section 62(1), Nos. 2-5 of the Data Protection Act. When transferring personal data in other situations, the company ensures that there is a transfer basis and that the customer is informed accordingly.


The company has procedures in place to ensure that it has the necessary security and thus also meets the requirements for implementing appropriate technical and organizational security measures. This is done to ensure the best possible security for your personal data, both in terms of quality and completeness.

Storage and Deletion

The company deletes your personal data when it no longer needs to process them to fulfill one or more of the purposes mentioned above. However, special legal provisions, including, for example, in the Accounting Act, the Anti-Money Laundering Act, the Limitation Act, etc., may give the company an obligation or right to retain the information for a longer period. The information may also be processed and stored longer if anonymized.

Personal data collected by the company under the Anti-Money Laundering Act is kept for 5 years after the end of the customer relationship and then deleted.

Your Rights

You have the right to access the information that the company processes about you, with certain exceptions as stipulated by law. Additionally, you have the right to object to the collection and further processing of your personal data. Furthermore, you have the right to have your information corrected or to request that the company restrict the processing of your personal data.

If you request the company to delete your personal data, the company will delete the information recorded about you without undue delay, unless the company can continue processing on another legal basis, such as if the processing is necessary to establish a legal claim or to respond to inquiries from you.

In certain cases, you may also request the company to provide you with a copy of your personal data in a structured, commonly used, and machine-readable format and request that the company transfer the information directly to another data controller (right to data portability).


If the company processes your personal data based on your consent, you can revoke your consent at any time. This can be done by contacting the company directly. If you revoke your consent, the company will cease processing your personal data unless the company has a legal or contractual obligation to continue processing or storing your information on another legal basis, including under the law. Revoking consent does not affect the lawfulness of the processing carried out before the revocation of consent.


If you wish to exercise your rights as described above, you are welcome to contact the company at any time.

The company requests that, in connection with inquiries regarding your rights, you provide sufficient information so that the company can process your request, including your full name and email address, so the company can identify you and respond to your inquiry. The company will respond as soon as possible.

If you disagree with the way the company processes your personal data or the purposes for which the company processes the personal data, you are welcome to contact the company. You also have the option to lodge a complaint with:

Dátueftirlitið (the Faroese Data Protection Authority)


P.O. Box 300, FO-110 Tórshavn


Phone: (+298) 309100

Links to Other Websites

The company's website contains links to other websites. The company assumes no responsibility for the content of other websites or for their practices regarding the collection of personal information.

When visiting other websites, you should always read the privacy policy and other relevant policies of the website.

Changes to the Privacy Policy

The company reserves the right to change this privacy policy due to significant changes in legislation, new technical solutions, new or improved features, or to improve the website and other social media pages.


Write to - with "Privacy Policy" in the subject line if the company needs to amend or delete personal information that the company has registered about you, or if you have questions about the guidelines in the privacy policy.

Posted on October 15, 2020. Updated with information about the website's use of cookies on April 3, 2024.

The privacy policy is effective from January 1, 2021.

Sp/f Eli Thorsteinsson advokatur

The above is a translated version of the current privacy policy in Faroese. If there are discrepancies between the above version and the current Faroese version, the Faroese version prevails.

When referring to legislation in the above, such as the Data Protection Act, the Anti-Money Laundering Act, etc., reference is made to the current Faroese legislation in the area, unless otherwise expressly stated.


The website uses these essential cookies: 

bottom of page