Privacy policy

1. About the privacy policy
2. Responsibility for the processing of personal data by us
3. Knowledge of the rules on personal data
4. Mapping of processing of personal data
5. Basic requirements for the processing of personal data
6. Basis for processing personal data
   1. Basis for processing
   2. Employees
   3. Former employees
   4. Job seekers
   5. Contact persons at suppliers
   6. Contact persons at corporate customers
   7. Other contact persons
7. Basis for the processing of sensitive personal data
8. Information to data subjects (privacy policy)
9. Rights of data subjects
10. Deletion of personal data
11. Data protection officer
12. General risk assessment
13. Information security
14. Nonconformities, analysis of nonconformities and corrective actions
15. Purchase of IT services - data processing agreements
16. Breach of personal data security
17. Impact assessment and prior consultation with the Norwegian Data Protection Authority
18. Control, update and revision of the document

1. About the privacy policy

The purpose of this document is to help us comply with the Personal Data Act of 2018. It will also help to demonstrate that our processing of personal data complies with the law.

2. Responsibility for the processing of personal data by us

The company is responsible for the personal data it processes, for example about its own employees, contact persons at customers and suppliers, private customers and other business associates. The company is responsible for complying with the obligations that follow from the rules on personal data.

Ståle Haugland is responsible for day-to-day processing

3. Knowledge of the rules on personal data

We shall ensure that the relevant employees are familiar with the rules on personal data, including this document on data protection. The level of knowledge shall be adapted to the individual employee's processing of personal data. We shall assess whether certain groups of employees need special knowledge, such as HR functions and IT managers. Our management shall always have knowledge of the regulations.

4. Mapping of the processing of personal data

We must map all processing of personal data. We must do this in a separate form in which we specify, among other things, the categories of data subjects, the purpose of the processing, how we process the data and the basis for the processing. The forms will help us comply with the rules on the processing of personal data.

5. Basic requirements for the processing of personal data

The law sets out six grounds that apply to all processing of all personal data. We must ensure that personal data is:

1. processed in a lawful, fair and transparent manner with regard to the data subject ("lawfulness, fairness and transparency")
2. The purpose of this document is to help us comply with the Personal Data Act of 2018. It will also help to demonstrate that our processing of personal data complies with the law.
3. be adequate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimization")
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy")
5. stored in such a way that it is not possible to identify the data subjects for longer than is necessary for the purposes for which the personal data is processed ("storage limitation")
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures ("integrity and confidentiality")

If personal data is used for purposes other than those for which it was collected, see point 2 above, we shall always assess whether the new or changed purpose is compatible with the original purpose. We shall then take into account the factors set out in Article 6(4) of the General Data Protection Regulation.

6. Basis for processing personal data

1. Basis for processing

We shall have at least one of the following bases for all processing of personal data:

1. the data subject has consented to the processing of their personal data for one or more specific purposes
2. the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
3. the processing is necessary for compliance with a legal obligation to which the controller is subject
4. the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (balancing of interests)

The basis(s) on which we process data must be stated in the mapping form. If the basis for the processing is the data subject's consent (see no. 1), we must familiarize ourselves with the special rules that apply to such consents, including the requirement for documentation. If the basis for processing is our legitimate interest (balancing of interests) (see no. 4), we must document the balancing specifically and in writing, see below.

2. Employees

The processing of data is mainly based on legal obligations. Some of the processing is also based on a balancing of interests. We need to document that we have fulfilled legal and contractual obligations after they have been fulfilled. We also need documentation for personnel administration for use in future personnel administration. These are legitimate interests. It is not possible to have access to the data in any other way than to store the data. Processing is therefore necessary.

Our employees have an ongoing contractual relationship with us. The personal data we process is linked to this contractual relationship. This is largely information that employees have provided to us. The information relates to matters that are likely to be processed by an employer.

We believe that the legitimate interest takes precedence over the interests of the employee.

3. Former employees

The processing of most personal data is based on a balancing of interests. A need may arise for us to document personnel matters even after the employment relationship has ended, such as a dispute with the former employee. This may apply, for example, to documentation that we as an employer have fulfilled our obligations under legislation or the employment contract. This is a legitimate interest. It is not possible to have access to the information in any other way. Processing is therefore necessary.

The processing involves storing the data for up to twelve months. We may store information about the employee's previous employment, the duration of the employment relationship and work tasks for longer. The data will not be disclosed to others without the former employee's request, for example in connection with an assessment of employment with a new employer.

We believe that the legitimate interest takes precedence over the interests of the former employee.

4. Job seekers

The processing of personal data is based on a balancing of interests. We need to use information to assess applications that job applicants send us. This is a legitimate interest. It is not possible to assess an application without processing personal data. Processing is therefore necessary.

We ask those who want to apply for a job with us to send us at least information about their name, education, work experience, references, etc. Job applicants will often provide additional personal data that they consider relevant to the assessment of their application, such as contact information, family relationships and interests, in addition. In interviews, we ask questions to determine whether the job applicant is suitable for the position. In some cases, we may use tests or questionnaires for this purpose. If it becomes relevant to employ the job applicant, we may ask for additional information as well as documentation for information we have already received. It is voluntary to provide us with information.

We do not use the information for anything other than assessing the application. We do not provide the information to anyone else. We may retain information from job applicants for six months, in the event that job applicants believe that their rights have not been fulfilled.

We believe that the legitimate interest takes precedence over the interests of the job seeker.

5. Contact persons at suppliers

The processing of personal data is based on a balancing of interests. We need to keep in touch with our suppliers in order to follow up on offers, orders and deliveries, among other things. This is a legitimate interest. That contact only becomes effective by contacting individuals directly. Processing is therefore necessary.

The processing takes place in relation to the contact person's employer, who wishes to be a supplier with us. In addition to names, we process contact information, such as telephone number, email address and employer, all of which are linked primarily to the contact person's working relationship and not to the contact person's private life. The scope of the data is very limited. The processing of the data is related to the supplier's business activities and not to the contact person's private life. Our processing of the personal data is clearly foreseeable for the contact person.

We believe that the legitimate interest overrides the interests of the contact person.

6. Contact persons at corporate customers

The processing of personal data is based on a balancing of interests. We need to keep in touch with our business customers to follow up on offers, orders and deliveries. This is a legitimate interest. That contact becomes effective only by contacting individuals directly. Processing is therefore necessary.

The processing takes place in relation to the contact person's employer, who is a customer of ours. In addition to names, we process general information, such as telephone number, email address and employer, all of which are linked primarily to the contact person's employment. The scope of the data is therefore limited. The processing of the data is linked to the supplier's business activities and not to the contact person's private life. When consent is required under the Marketing Act, the contact person will also have given consent before we send marketing emails. Our processing of personal data is clearly foreseeable for the contact person.

We believe that the legitimate interest overrides the interests of the contact person.

7. Other contact persons

The processing of personal data is based on a balancing of interests. We need to be in contact with public authorities, such as NAV and supervisory authorities in connection with public law matters where we may have obligations and rights. This is a legitimate interest. In some cases, this communication will only be effective if we can contact individuals directly. Processing is therefore necessary.

7. Basis for the processing of sensitive personal data

The processing of sensitive personal data requires a basis for processing in addition to those mentioned in section 6.

Sensitive personal data is: information about racial or ethnic origin, political opinions, religion, beliefs or trade union membership, as well as genetic data and biometric data for the purpose of uniquely identifying a natural person, health data or data concerning a natural person's sex life or sexual orientation.

If we are to process such data, we must ensure that we have a basis for processing. For our employees, information about health and trade union membership will be particularly relevant. Health includes, for example, illness and injuries and absence due to these. A particularly relevant basis for processing will be that processing is necessary in the capacity of employer, for example in connection with follow-up and reporting to public authorities or when facilitating the employment relationship.

The processing of information about criminal offenses and offenses, etc. is subject to special rules that we must familiarize ourselves with if we are to process such information.

8. Information to data subjects (privacy policy)

We will provide statutory information to data subjects. We shall provide such information in a privacy notice. All data subjects shall have access to the information that applies to them. We provide information to employees in an employee handbook or similar.

The information must include, among other things, the name of the company and contact information, the purpose of the processing, the categories of personal data, recipients of personal data (if disclosed), information about any disclosure of personal data to other countries, how long the personal data will be stored, the data subject's right to request access, rectification or deletion of the personal data, how the company gained access to the personal data and the possibility to complain to the Norwegian Data Protection Authority.

If the data subject is a child, we will consider in particular how good information can be provided.

9. Rights of data subjects

We will respond to inquiries from data subjects without undue delay. If we receive such inquiries, they should be sent to Ståle Haugland

We will ensure that data subjects can exercise their rights with us.

10. Deletion of personal data

We will delete personal data without undue delay when it is no longer "necessary" for the purpose for which it was collected or processed. At least once a year we will review this. Our deletion policy is set out below or on the mapping form.

Employees

As a general rule, we retain all information throughout the period of employment. Employees can request that information be deleted. This will be assessed on a case-by-case basis. Legislation may require a longer retention period.

Former employees and job seekers

See above about the processing basis for these categories. Legislation may require a longer retention period than what is stated here.

Contact persons at suppliers and customers

We will delete the data when we become aware that the contact person has left the supplier or customer or that the supplier or customer has appointed a new contact person. The same applies when the supplier or customer relationship has ended.

However, we may store the data for a longer period if we believe it may be necessary to document the contact we have had with the supplier or customer. This may apply, for example, to questions about rights or obligations in the contractual relationship with the supplier or customer. Legislation may also require a longer retention period.

Other contact persons

We will delete the data when we become aware that the person is no longer relevant to our needs, including if the person leaves the company, public agency, etc.

However, we may store the data for a longer period of time if we believe it may be necessary to document contact with the person or the person's employer. This may apply, for example, to questions about rights or obligations in contractual, public law or other matters.

11. Data protection officer

We have considered whether the GDPR requires our company to have a data protection officer.

We have no or very few natural persons as customers. We do not regularly and systematically monitor data subjects on a large scale. For most categories of data subjects, we generally process general personal data such as name, address, employer, email address, telephone number, etc. We process some sensitive information about employees.

We have concluded that our company is not required to have a data protection officer.

12. General risk assessment

We shall risk assess the processing of personal data. This assessment shall enable us to identify and define which security measures we should implement.

The assessments shall relate to the likelihood and severity (risk) of harm to the "rights and freedoms" of individuals, such as physical harm, damage to property or assets and medical harm. Examples of harm include discrimination, identity theft, damage to reputation, loss of social esteem, unauthorized disclosure of confidential information and unacceptable invasion of privacy.

The mapping form shows that we:

• largely process only general contact information, such as name, address, employer, email address, telephone number, etc.
• process information about employees that is customary to administer personnel matters, including compliance with statutory obligations
• have few or no private customers
• does not process information about children
• processes information that is part of conducting ordinary business activities

We have never been the victim of a data breach. Nor are we aware that outsiders have shown any interest in the personal data we process. We therefore believe that it is unlikely that the data has been exposed to a breach.

Based on the nature and scope of the data we process, we believe that the consequences of non-compliance will not be severe.

When it comes to some of the information about employees, both the likelihood and seriousness of a breach of the rules are much greater. We therefore have separate routines for processing such information, including limiting access to it.

We must risk assess changes that may affect information security, for example when we purchase new IT services.

The results of risk assessments must be approved by the person with day-to-day responsibility for processing in the company.

13. Information security

We are required by law to take appropriate technical and organizational measures to achieve a level of security that corresponds to the risk associated with our processing of personal data. We must then take into account the state of the art, the implementation costs and the nature, scope and purpose of the processing, as well as the context in which it is carried out.

Our risks are assessed overall in the section above.

Against this background, we have implemented these measures:

• We have appointed a person with the specific task of ensuring safety: Ståle Haugland
• Unauthorized persons shall be prevented from gaining access to personal data or the equipment on which it is stored,
• It must be ensured that the company's network is protected against intrusion from external networks with a firewall that only allows necessary data traffic through,
• It must be ensured that the company's network is protected against unauthorized use, for example by securing the wireless network.
• Extra measures must be taken for information that is particularly worthy of protection, such as sick leave, information about workplace arrangements, assessments of the employee, remarks and warnings.
• Employees must be trained in the use of the company's IT system.

14. Non-conformities, analysis of non-conformities and measures to rectify them

We must determine whether the processing of personal data complies with the rules in the Personal Data Act and the procedures in this document. If this is not the case, we must find out how we can increase compliance. We must document in writing both what deviations we have found and what we have done to correct them.

In the survey form, answers to question 15 can summarize deviations for each category of registrant. The person completing the form must notify Ståle Haugland of such deviations. The person who discovers the discrepancy must take immediate action if necessary to limit or prevent significant inconvenience or consequential damage. The person who receives the notification must first assess whether immediate action is necessary. He or she must then ensure that measures are implemented to prevent the non-conformity from recurring.

If it turns out that the procedures are not sufficiently adapted to our company, we should consider changing the procedures, see section 18.

15. Purchase of IT services - data processing agreements

Normally, we will act as data controller when the company purchases IT services from a service provider. We are then still responsible for ensuring that data protection legislation is complied with when purchasing IT services, such as HR solutions or customer databases/CRM.

Before we buy IT services, we must therefore assess, among other things, whether the supplier satisfies the security requirements of the Personal Data Act (Article 32). Reputable suppliers will often be able to document that they meet the requirements. We must also ensure that we enter into a data processing agreement that regulates how the data processor will handle the personal data it receives from and processes on our behalf. Suppliers will often have their own agreements that meet the requirements of the regulations.

If the service provider is to transfer personal data to countries outside the EU/EEA, there must be a legal basis for this. there is a legal basis for this. 

16. Breach of personal data security

In the event of a breach of personal data security (such as a hacker attack or loss of personal data), we will immediately contact the Norwegian Data Protection Authority to find out what we should do.

"Personal data breach" means a breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data that we process.

In the event of certain breaches of personal data security, we must notify the Norwegian Data Protection Authority and sometimes also the data subject. Notification to the Norwegian Data Protection Authority must take place immediately, and no later than 72 hours after we became aware of the breach. It is not necessary to notify the Norwegian Data Protection Authority if it is unlikely that the personal data breach will result in a risk to the rights of individuals. An example is where a security breach has led to unauthorized access to personal data that is already publicly available.

We have a duty to notify the data subject if it is likely that the personal data breach will result in hay risk to the rights and freedoms of individuals. We believe that our processing of personal data can only exceptionally lead to such risks.

We must document any breaches of personal data security. We do this by describing the facts surrounding the breach ("What happened?"). In addition, we must describe the effects of the breach and what measures have been taken to remedy the breach. This documentation will enable the Norwegian Data Protection Authority to check that the company has complied with the requirements of the Act.

17. Privacy impact assessment and prior consultation with the Norwegian Data Protection Authority

We are required to carry out a privacy impact assessment when planning to process personal data that is likely to result in a high risk to the rights of individuals, such as the right to privacy. In assessing whether such an assessment is necessary, we shall take into account the nature, scope, context and purposes of the processing. It shall also take into account whether it uses new technology.

There are several types of cases where it is necessary to assess privacy impacts: Systematic and extensive assessment of personal circumstances when the data is used for automated decisions, processing of sensitive personal data on a large scale or systematic surveillance of public areas on a large scale.

In the cases above, we will familiarize ourselves with the special rules that apply, including that the Norwegian Data Protection Authority must sometimes be involved in preliminary discussions.

18. Control, update and revision of the document

We will update and revise this document regularly. The reason for this is, among other things, that the rules in laws and regulations may be changed, our processing of personal data may be changed or experience may indicate that we should change our routines. For the same reasons, we will also regularly review and update the forms mapping the processing of personal data.

Ståle Haugland is responsible for ensuring that the need for changes and revisions is identified and incorporated into the document and the form. This must be done annually.

The evaluation should include, for example, the following questions:

• Since the last audit, have we changed (new, amended or discontinued) processing of personal data that is not addressed in the document or forms?
• Do the six basic requirements for the processing of personal data mean that we should change our procedures or practices?
• Since the last audit, have there been any new rules in laws or regulations that require changes?
• Since the last audit, has the business discovered other areas for improvement in the document or forms?
• Has new technology emerged that allows personal data to be secured in a better way?