General data protection regulation

General Data Protection Regulation:

About GDPR declaration:
This declaration will help ensure that we comply with the Personal Data Act from 2018. It will also help demonstrate that our process of handling personal data is in accordance with the law.

Responsible for processing personal data:
The company is responsible for all personal data we process, this covers our employees, contact person with customers and suppliers, our guests, customers and any other business relationship.
The company is responsible for complying with the rules covering how to process personal data.
Our managing director has the daily overall responsibility.

Knowledge of the rules on personal data:
We pledge to ensure that the relevant employees are familiarized with the rules covering personal data, including this document on general data protection regulation. The level of knowledge will be adapted to the individual employee’s level of processing personal data. We will assess if some groups of employees need further knowledge regarding this Important subject, for example personnel functions and IT managers. Our management will always be familiarized and updated with the regulations.

Overseeing the process of handling personal data:
We continuously control and oversee how we process personal data. We do this in a way where we define, among other things, categories of what is being registered, purpose of the processing, how we process the information and what basis it has for the process of personal data. The forms will help ensure that we comply with the general data protection regulation.

This is how we process your personal data:
The law refers to six points that must be followed when processing any personal data. We will ensure that personal data is:
1. Processed in a legal, fair and transparent manner with respect to the person.
2. Collected for specific, expressly stated and legitimate purposes and are not further processed in a manner incompatible with these purposes.
3. Adequate, relevant and limited to what is necessary for the purposes for which they are processed.
4. Correct and if necessary updated; every reasonable measure must be taken to ensure that personal data that are incorrect regarding the purposes for which they are processed are deleted or corrected without delay.
5. Stored so that it is not possible to identify the data subjects for longer periods than necessary for the purpose for which the personal data is processed.
6. Maintained in a way that ensures sufficient security for the personal data using suitable technical or organizational measures, this includes protection against unauthorized/illegal processing, accidental loss, destruction or damage.

Grounds for processing personal data
Grounds for processing:
We must have at least one of the following grounds for processing of personal data.
1. The data subject has given consent to the processing of their personal data for one or more specific purposes.
2. The processing is necessary to fulfill an agreement to which the data subject is a party, or to carry out measures at the data subjects request before entering into an agreement.
3. The processing is necessary to fulfill a legal obligation for the processing party.
4. The processing is necessary for purposes related to the legitimate interests pursued by the processing party or a third party, unless the data subjects’ interest or fundamental rights and freedoms take precedence and require personal data to be protected, this is especially valid and important if the data subject is a child.

The mapping form must state what basis we have for processing information. If the basis for processing data is consent from the data subject, we must familiarize ourselves with the special rules that apply to such consents, including the requirement for documentation. If the basis for processing is our legitimate interest, we shall concretely and in writing document the reasoning, see below.

Business customers and their contact person(s):
Processing personal data is based on balancing interests. We need to keep in touch with our business customers to follow up offers, orders and deliveries. This is a legitimate interest. That contact becomes effective only by contacting individuals directly. Data processing is therefore necessary.
The process of data takes place with the contact persons` employer, who is a customer of ours. In addition to names, we process general information, such as telephone number, email address and employer, all of which are primarily linked to the contact persons’ employment. The scope of the information is therefore limited. The processing of the information is linked to the suppliers` business activities and not to the contact persons` private life. When consent is required under the Marketing Act, the contact person will also have given consent before we send e-mails which include marketing.

Other contact persons:
We shall delete the information when we become aware that the person is no longer relevant to our needs, including if the person leaves that company, public agency, etc. We may still store the information for a longer period if we believe it may be necessary to have contact with the person or the person’s employer. This may apply, for example, to questions about rights or obligations in regard to contracts, public law or other matters.

Privacy Commissioner:
We have considered whether the data protection regulation requires our company to have a data protection officer. We have no or very few natural persons as customers. We do not carry out regular and systematic large-scale monitoring of registered users. For most categories of data subjects, we mostly process general personal data such as name, address, employer, e-mail address, telephone number, etc. We have concluded that our company is not subject to the requirement to have a data protection representative.

General risk assessment:
We must risk assess the processing of personal data. This assessment should enable us to identify and define which security measures we will implement. The assessments shall apply to the probability and degree of severity of personal injury, such as physical injury, damage to property or medical injury. Examples of damages are discrimination, identity theft, damage to reputation, loss of social esteem, confidential information becoming known to unauthorized and unacceptable entities and intrusion into privacy. The mapping form shows that we:
largely only process general contact information, such as name, address, employer, email address, telephone number, etc.
processes information about employees that is normal for managing personnel matters, including compliance with statutory obligations.
does not process information about children.
processes information that is part of running ordinary commercial activities.

We have never been the victim of a data breach. We are also not aware that outsiders have shown an interest in the personal data we process. We therefore believe that it is unlikely that the information is subject to breaches. We must at any time risk assess changes that may affect information security, for example when we buy new IT services. The results of risk assessments must be approved by the person who has day-to-day processing responsibility in the company.

Information security:
According to the law, we must take appropriate technical and organizational measures to achieve a level of security that corresponds to the risk associated with the way we process our personal data. We must then consider the state of the art, the implementation costs and the nature, scope and purpose of the processing of personal data, as well as the context in which it is carried out. Our risks are assessed overall in the point above. Against this background, we have implemented the following measures:
We have designated a person with the special task of ensuring safety. Unauthorized persons must be prevented from accessing the personal data or the equipment on which it is stored.
It must be ensured that the company’s network is protected against intrusion from external networks with a firewall that only allows necessary data traffic to pass through.
It must be ensured that the company’s network is protected against unauthorized use, for example by securing the wireless network.
Extra measures must be taken for particularly sensitive information such as sick leave, information about the organization of the workplace, assessments of the employee, notes and warnings.
Employees must be given training in the use of the company’s IT system.

Purchase of IT services and data processing agreements:
Usually, we will act as data controller when the business buys IT services from a service provider. We then continue to be responsible for ensuring that privacy legislation is complied with when purchasing IT services, for example HR solutions or customer databases/CRM.
Before we buy IT services, we assess whether the supplier meets the security requirements required by the Personal Data Act. We make sure to enter into a data processor agreement that regulates how the data processor must handle the personal data it receives from and processes on our behalf. Suppliers will often have their own agreements that meet the requirements of the regulations.
If the service provider is to transfer personal data to countries outside the EU/EEA, there must be a legal basis for this.

Breach of personal data security:
In the event of a breach of personal data security, we must immediately contact the Norwegian Data Protection Authority. “Breach of personal data security” means a breach that leads to the accidental or illegal destruction, loss, alteration, illegal dissemination of or access to personal data that we process.
In the event of certain breaches of personal data security, we must notify the Norwegian Data Protection Authority and occasionally also the data subject. Notification to the Norwegian Data Protection Authority must be made immediately, and no later than 72 hours after we became aware of the breach. It is not necessary to notify the Norwegian Data Protection Authority if it is unlikely that the breach of personal data security will increase the risk to the rights of individuals. We have a duty to notify the data subject if it is likely that the breach of personal data security will secure a high risk for the individuals` rights and freedoms. We believe that our processing of personal data can only exceptionally lead to such a risk. We must document any breaches of personal data security. We do this by describing the actual circumstances surrounding the breach. In addition, we must describe the effects of the breach and what measures have been taken to remedy the breach. This documentation shall enable the Norwegian Data Protection Authority to check that the business has complied with the requirements of the law.

Assessment of privacy consequences and prior consultation with the Norwegian Data Protection Authority:
We will analyze the consequences regarding privacy regulations when it is planned to process personal data that is likely to pose a high risk to peoples` rights, such as the right to privacy. In assessing whether such an investigation is necessary, we must take into account the nature, scope, context and purpose of the processing. It must also consider whether it uses new technology.
There are several types of cases where it is necessary to investigate privacy consequences:
– Systematic and comprehensive assessment of personal circumstances when the information is used for automated decisions, processing of sensitive personal data on a large scale or systematic monitoring of public areas on a large scale.
In the cases above, we must familiarize ourselves with the special rules that apply, including that the Norwegian Data Protection Authority must occasionally be involved in preliminary discussions.

Control, updating and revision of how we handle personal data:
We will update and revise this document regularly. The background is, among other things, that the rules in law and regulations may be changed, our processing of personal data may be changed, or experience may indicate that we should change our routines. For the same reasons, we must also regularly review and update the forms mapping the processing of personal data. The managing director is responsible for ensuring that the need for changes and revisions is identified and incorporated into the document and form. This must be done annually.