Privacy in Biologen AS

  1. About the Privacy Policy
  2. Responsiblity for processing personal data with us
  3. Knowledge of the rules on personal data
  4. Mapping of the processing of personal data
  5. Basic requirements for the processing of personal data
  6. Basis for processing personal data
    1. Basis for processing
    2. Employees
    3. Former employees
    4. Job seekers
    5. Contact persons at suppliers
    6. Business customer contact persons
    7. Other contact persons
  7. Basis for processing sensitive personal data
  8. Information for the data subjects (privacy statement)
  9. Data Subject Rights
  10. Deletion of personal data
  11. Data Protection Officer
  12. General risk assessment
  13. Information security
  14. Deviations, analysis of nonconformities and measures to correct them
  15. Purchase of IT services – data processing agreements
  16. Breach of personal data security
  17. Impact assessment and prior consultation with the Norwegian Data Protection Authority
  18. Control, update and revision of the document

 

  1. About the Privacy Policy

This document will help us comply with the Personal Data Act of 2018. The document will also help to demonstrate that our processing of personal data complies with the law.

  1. Responsibility for the processing of personal data with us

The company is responsible for personal data we process, for example about its own employees, contact persons at customers and suppliers, private customers and other business contacts. The company is responsible for complying with the obligations that follow from the rules on personal data.

Ståle Haugland has day-to-day responsibility for processing

  1. Knowledge of the rules on personal data

We shall ensure that the relevant employees are familiar with the rules on personal data, including this data protection document. The level of knowledge shall be adapted to the individual employee’s processing of personal data. We will assess whether any groups of employees need special knowledge, such as personnel functions and IT managers. Our management must always be familiar with the regulations.

  1. Mapping the processing of personal data

We will map all processing of personal data. We will do this in a separate form where we specify, among other things, categories of data subjects, purpose of the processing, how we process the information and what basis it has for the processing. The forms are intended to help us comply with the rules on the processing of personal data.

  1. Basic requirements for the processing of personal data

The law sets out six grounds that apply to all processing of all personal data. We shall ensure that personal data shall:

  1. be processed in a lawful, fair and transparent manner in respect of the data subject (“lawfulness, fairness and transparency”)
  2. This document will help us comply with the Personal Data Act of 2018. The document will also help to demonstrate that our processing of personal data complies with the law.
  3. be adequate, relevant and limited to what is necessary for the purposes for which they are processed (“data minimisation”)
  4. be correct and, if necessary, up to date; Every reasonable measure must be taken to ensure that personal data which are inaccurate with regard to the purposes for which they are processed are erased or corrected without delay (“correctness”)
  5. stored so that it is not possible to identify the data subjects for longer than is necessary for the purposes for which the personal data are processed (“storage limitation”)
  6. processed in a manner that ensures adequate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”);

If personal data is used for purposes other than those for which it has been collected, see section 2 above, we shall always consider whether the new or changed purpose is compatible with the original. We shall then take into account the factors set out in Article 6 (4) of the General Data Protection Regulation.

  1. Basis for processing personal data
  1. Basis for processing

We shall have at least one of the following bases for all processing of personal data:

  1. The data subject has consented to the processing of his/her personal data for one or more specific purposes
  2. the processing is necessary for the performance of an agreement to which the data subject is party or to take steps at the data subject’s request prior to entering into a contract;
  3. the processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. the processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject take precedence and require protection of personal data, in particular if the data subject is a child (balancing of interests)

The survey form must state the basis(s) we have for processing data. If the basis for processing is the consent of the data subject (see paragraph 1), we shall familiarise ourselves with the special rules that apply to such consents, including the requirement for documentation. If the basis for processing is our legitimate interest (balancing of interests) (see point 4), we shall document the trade-off specifically and in writing, see further below.

  1. Employees

The processing of data is mainly a legal obligation. Some of the processing is also based on balancing interests. We need to document that we have fulfilled obligations pursuant to law and agreement after they have been fulfilled. We also need documentation for human resources management to use for future personnel management. These are legitimate interests. It is not possible to have access to the information in any other way than to store the information. Processing is therefore necessary.

Our employees have an ongoing contractual relationship with us. The personal data we process is related to this contractual relationship. It is largely a matter of information employees have given us. The information relates to matters that it is probable for an employer to process.

We believe that the legitimate interest takes precedence over the employee’s interests.

  1. Former employees

The processing of most of the personal data is based on a balance of interests. We may need to document personnel matters even after the employment relationship has ended, for example a dispute with the former employee. This may apply, for example, to documentation that we as an employer have fulfilled our obligations under legislation or the employment contract. This is a legitimate interest. It is not possible to have access to the information in any other way. Processing is therefore necessary.

The processing involves storing the information for up to twelve months. Information about whether the employee has been employed, duration of employment and work tasks can be stored longer. The information will not be disclosed to others without the former employee’s request, for example in connection with the assessment of employment with a new employer.

We believe that the legitimate interest takes precedence over the interests of the former employee.

  1. Job seekers

The processing of personal data is based on a balance of interests. We need to use information to assess applications job seekers send us. This is a legitimate interest. It is not possible to consider an application without processing personal data. Processing is therefore necessary.

We ask those who want to apply for a job with us to send us at least information about name, education, work experience, reference persons, etc. (CV). Jobseekers will often provide additional personal data they consider relevant to the assessment of their application, for example about contact information, family circumstances and interests, as well. In interviews, we ask questions to determine if the job seeker is a good fit for the position. In some cases, we may use tests or questionnaires for this purpose. If it becomes necessary to hire the job seeker, we may request additional information as well as documentation for information we have already received. It is voluntary to provide us with information.

We do not use the information for anything other than assessing the application. We do not provide the information to anyone else. We may retain information from job applicants for six months, in case job applicants believe that their rights have not been met.

We believe that the legitimate interest takes precedence over the interests of the job seeker.

  1. Contact persons at suppliers

The processing of personal data is based on a balance of interests. We need to keep in touch with our suppliers to follow up on offers, orders and deliveries, among other things. This is a legitimate interest. That contact becomes effective only by contacting individuals directly. Processing is therefore necessary.

The processing takes place vis-à-vis the contact person’s employer, who wishes to be a supplier with us. In addition to names, we process contact information, such as telephone number, email address and employer, all of which are linked primarily to the contact person’s employment and not to the contact person’s private life. The scope of the information is very limited. The processing of the data is related to the supplier’s business activities and not to the contact person’s private life. Our processing of personal data is clearly foreseeable for the contact person.

We believe that the legitimate interest takes precedence over the interests of the contact person.

  1. Contact persons for corporate customers

The processing of personal data is based on a balance of interests. We need to keep in touch with our corporate customers to follow up on offers, orders and deliveries. This is a legitimate interest. That contact becomes effective only by contacting individuals directly. Processing is therefore necessary.

The processing takes place vis-à-vis the contact person’s employer, who is our customer. In addition to names, we process general information, such as telephone number, e-mail address and employer, all of which are linked primarily to the contact person’s employment. The scope of the information is therefore limited. The processing of the data is related to the supplier’s business activities and not to the contact person’s private life. When consent is required under the Marketing Control Act, the contact person will also have given consent before we send marketing emails. Our processing of personal data is clearly foreseeable for the contact person.

We believe that the legitimate interest takes precedence over the interests of the contact person.

  1. Other contact persons

Processing of personal data is based on a balance of interests. We need to have contact with public authorities, such as NAV and supervisory authorities in connection with public law matters where we may have obligations and rights. This is a legitimate interest. In some cases, that communication may only be effective if we can contact individuals directly. Processing is therefore necessary.

  1. Basis for processing sensitive personal data

Processing of sensitive personal data requires a basis for processing in addition to those mentioned in section 6.

Sensitive personal data are: information about racial or ethnic origin, political opinions, religion, beliefs or trade union membership, as well as genetic and biometric data for the purpose of unambiguously identifying a natural person, health information or information about a natural person’s sexual relationship or sexual orientation.

If we are to process such information, we shall ensure that we have a basis for processing. For our employees, information about health and trade union membership will be particularly relevant. Health includes, for example, illness and injuries and absence due to this. A particularly relevant basis for processing will be that treatment is necessary in the capacity of employer, for example when following up and reporting to public authorities or when facilitating the employment relationship.

The processing of information about criminal offences and offences etc. is subject to special rules that we must familiarize ourselves with if we are to process such data.

  1. Information for data subjects (privacy policy)

We shall provide statutory information to the data subjects. We shall provide such information in a privacy statement. All registered persons shall have access to the information that relates to them. Information to employees is provided in the employee handbook or similar.

The information shall include, inter alia, the name of the company and contact information, the purpose of the processing, the categories of personal data, recipients of personal data (if disclosed), information about any disclosure of personal data to other countries, how long the personal data will be stored, the data subjects’ right to demand access, correct or demand deletion of the personal data, how the company gained access to the personal data and the opportunity to complain the activities of the Norwegian Data Protection Authority.

If the data subject is a child, we shall particularly consider how good information can be provided.

  1. Data Subject Rights

We shall respond to inquiries from registered persons without undue delay. If we receive such inquiries, they must be sent to Ståle Haugland

We will ensure that data subjects are able to implement their rights with us.

  1. Deletion of personal data

We shall delete personal data without undue delay when they are no longer “necessary” for the purpose for which they were collected or processed. At least once a year we will review this. Our deletion policy follows below, or from the screening form.

Employees

As a general rule, we retain all information throughout the period of employment. Employees may request that information be deleted. This will be assessed concretely. The law may require longer storage periods.

Former employees and job seekers

See above on the basis for processing these categories. The law may stipulate requirements for a longer storage period than what is stated there.

Contact persons at suppliers and customers

We shall delete the information when we become aware that the contact person has left the supplier or customer or that the supplier or customer has appointed a new contact person. The same applies when the supplier or customer relationship has ended.

However, we may store the information for a longer period if we believe it may be necessary to document the contact we have had with the supplier or customer. This may apply, for example, to questions about rights or obligations in the contractual relationship with the supplier or customer. The law may also require longer storage periods.

Other contact persons

We shall delete the information when we become aware that the person is no longer relevant to our needs, including if the person leaves that company, government agency, etc.

However, we may store the information for a longer period of time if we believe that documentation, contact with the person or the person’s employer may be necessary. This may apply, for example, to questions about rights or obligations under contractual, public law or other matters.

  1. Data Protection Officer

We have assessed whether the GDPR requires our company to have a data protection officer.

We have no or very few natural persons as customers. We do not conduct regular and systematic monitoring on a large scale of registered persons. For most categories of registered persons, we generally process general personal data such as name, address, employer, email address, telephone number, etc. We process certain sensitive information about employees.

We have concluded that our company is not subject to the requirement to have a data protection officer.

  1. General risk assessment

We shall risk assess the processing of personal data. This assessment will enable us to identify and define which security measures we should implement.

The assessments shall concern the probability and severity (risk) of persons’ “rights and freedoms”, such as physical injury, damage to things or property, and medical injury. Examples of injuries are discrimination, identity theft, reputational damage, loss of social esteem, confidential information becoming known to unauthorised persons and unacceptable invasion of privacy.

The survey chart shows that we:

  • to a large extent, only process ordinary contact information, such as name, address, employer, e-mail address, telephone number, etc.
  • process information about employees that is customary for managing personnel relationships, including compliance with statutory obligations
  • have few or no private customers
  • do not process information about children
  • process information that is part of general business activities;

We have never been subject to a data breach. Nor are we aware that third parties have shown interest in the personal data we process. We therefore believe that it is unlikely that the information has been exposed to violations.

Based on the nature and scope of the information we process, we believe that the consequences of violations will not be serious.

With regard to some of the information about employees, both the probability and seriousness of violations are much greater. We therefore have our own routines for processing such data, including restriction of access to it.

We will risk assess changes that may affect information security, for example when we purchase new IT services.

The results of risk assessments must be approved by the person with day-to-day processing responsibility in the company.

  1. Information Security

By law, we shall take appropriate technical and organisational measures to achieve a level of security corresponding to the risk associated with our processing of personal data. We shall then take into account the state of the art, the implementation costs and the nature, scope and purpose of the processing, as well as the context in which it is carried out.

Our risks are assessed above in the section above.

Against this background, we have implemented the following measures:

  • A person has been appointed here with a special task to ensure safety: Ståle Haugland
  • Unauthorised persons shall be prevented from accessing the personal data or equipment on which they are stored,
  • It must be ensured that the company’s network is protected against intrusion from external networks with firewalls that only allow necessary data traffic through,
  • It must be ensured that the company’s network is protected against unauthorized use, for example when securing wireless networks.
  • Extra measures shall be taken for information worthy of special protection, such as sick leave, information about adaptation of the workplace, assessments of the employee, comments and warnings.
  • Employees shall be given training in the use of the company’s IT system.
  1. Deviations, analysis of nonconformities and measures to correct them

We need to find out whether the processing of personal data follows the rules of the Personal Data Act and the routines in this document. If that’s not the case, we need to figure out how to increase compliance. We shall document in writing both which non-conformities we have found and what we have done to correct them.

In the assessment form, answers to question 15 will be able to summarise deviations for each category of registered persons. The person completing the form must notify Ståle Haugland of such discrepancies. The person who discovers the nonconformity shall initiate immediate measures if this is necessary to limit or prevent significant disadvantages or consequential damage. The person receiving the notification shall first assess whether immediate action is necessary. Thereafter, he or she must ensure that measures are implemented to prevent non-conformities from happening again.

If it turns out that the routines are not well enough adapted to our business, we should consider changing the routines, see section 18.

  1. Purchase of IT services – data processing agreements

Normally, we will act as data controller when the company purchases IT services from a service provider. We are then still responsible for ensuring that privacy legislation is complied with when purchasing IT services, such as HR solutions or customer databases/CRM.

Before purchasing IT services, we shall therefore assess whether the supplier satisfies the security requirements required by the Personal Data Act (Article 32). Serious suppliers will often be able to document that they meet the requirements. We must also make sure to enter into a data processing agreement that regulates how the data processor shall handle the personal data it receives from and processes on our behalf. Suppliers will often have their own agreements that meet the requirements of the regulations.

If the service provider is to transfer personal data to countries outside the EU/EEA, there must be a legal basis for this. There is a legal basis for this.

  1. Breach of personal data security

In the event of a breach of personal data security (such as hacker attacks or loss of personal data), we will immediately contact the Norwegian Data Protection Authority to find out what we should do.

“Personal Data Breach” means breaches that result in accidental or unlawful destruction, loss, alteration, unlawful dissemination of, or access to, personal data that we process.

In the event of certain personal data breaches, we shall notify the Data Inspectorate and occasionally also the registered person. Notification to the Data Protection Authority shall take place immediately, and no later than 72 hours after we became aware of the breach. It is not necessary to notify the Data Protection Authority if it is unlikely that the breach of personal data security will entail a risk to individuals’ rights. One example is where a security breach has led to unauthorized persons gaining access to personal data that is already publicly available.

We are obliged to notify the data subject if it is likely that the breach of personal data security will result in a high risk to the rights and freedoms of individuals. We believe that our processing of personal data can only in exceptional cases lead to such risk.

We will document any personal data breaches. We do this by describing the actual circumstances surrounding the breach (“What happened?”). In addition, we will describe the effects of the breach and what measures have been taken to remedy the breach. This documentation shall make it possible for the Data Protection Authority to check that the enterprise has complied with the requirements of the Act.

  1. Data protection impact assessment and prior consultation with the Norwegian Data Protection Authority

We will examine the privacy implications when planning a processing of personal data that is likely to pose a high risk to individuals’ rights, such as the right to privacy. When assessing whether such an investigation is necessary, we shall take into account the nature, scope, context and purpose of the processing. It must also take into account whether it uses new technology.

There are several types of cases where it is necessary to investigate data protection consequences: Systematic and comprehensive assessment of personal circumstances when the information is used for automated decision-making, processing of sensitive personal data on a large scale or systematic monitoring of public areas on a large scale.

In the cases above, we will familiarise ourselves with the special rules that apply, including that the Data Protection Authority must occasionally be involved in advance discussions.

  1. Checking, updating and revision of the document

We will update and revise this document regularly. This is partly because the rules in laws and regulations may be changed, our processing of personal data may be changed or experience may indicate that we should change our routines. For the same reasons, we will also regularly review and update the forms with mapping of the processing of personal data.

Ståle Haugland is responsible for identifying and incorporating the need for changes and revisions into the document and form. This should be done annually.

The evaluation should include, for example, the following questions:

  • Since the previous revision, have we changed (new, changed or terminated) processing of personal data that has not been processed in the document or in the forms?
  • Do the six basic requirements for the processing of personal data indicate that we should change routines or practices?
  • Since the previous revision, have new rules in legislation or regulations come into force that warrant changes?
  • Since the last audit, has the company discovered other areas for improving the document or forms?

Has new technology emerged that allows personal data to be secured in a better way?