This privacy notice explains how we process personal information in our business as per the General Data Protection Regulation (GDPR).
Please note that this document is protected by copyright and you may not copy any text from it.
Your rights of access and rectification: You may request access to or a copy of the information we process about you and ask us to rectify any incorrect data.
Your right to erasure or restriction: In some circumstances, you may ask us to delete and/or restrict our processing of your data, but we cannot delete any data we are required to process.
Your right to object to processing: In some circumstances, you may ask us to stop processing your data.
Your right to data portability: In some circumstances, you may ask us to transfer your data to you or to another organisation.
Also, if you’re unhappy about how we process your data, you have a right to complain to the national data authority (Datatilsynet). We hope, however, that you will contact us first so that we can try to resolve the matter for you in a satisfactory way.
Please contact us if you have any questions about or want to exercise one of your rights. You are entitled to a reply within 30 days.
We typically process personal information about potential and existing customers, vendors, partners, and related to employment at our company. We process personal information when you:
buy our products or services
sign up for our events, free or paid
respond to one of our surveys
provide us with your contact details, e.g. give us your business card
contact us via phone, text, email or social media
It is voluntary to provide us with personal information, but if you choose not to, we may not be able to provide you with our services. We do not rent, buy or sell personal information from or to others, use automated decisions or profiling in the processing of your personal information or process special category data.
Under the GDPR Article 6-1, the lawful bases we rely on for processing your information are:
Your consent
We have a contractual obligation (contract)
We have a legal obligation
We have a legitimate interest
We process personal information when:
You communicate with us
When you contact us through e-mail, phone (call, text message), social media and/or give us your business card, we process personal information. Depending on where and how you contact us, this may include contact details and other information you choose to send to us. We use a CRM (Customer Relationship Management) system to process personal data on customers and leads.
The purpose is to be able to respond to your inquiries and, on some occasions, to keep records in case of complaints or legal claims. The lawful basis is f), where the legitimate interests are to be able to respond to your inquiries and, on some occasions, to keep records in case of complaints or legal claims.
You purchase our products and services
When you purchase products and services from us, we process personal information such as contact details, order and payment details as well as purchase history. The purpose is to be able to fulfil our obligation to deliver products and services you have purchased and to manage the customer relationship. The lawful bases are b) contract and c) legal obligation.
You receive marketing as an existing customer
If we have an existing customer relationship with you as per the Norwegian Marketing Control Act § 15, we can send you marketing via e-mail and text messages. The purpose is to provide you with good customer service and the lawful basis is f), where the legitimate interest is to offer our relevant products and services. The lawful basis may also be a), where you have given us your consent.
You can opt out of the marketing at any time by unsubscribing in any marketing email or text message you receive.
You apply for a job or work at our company
When applying for a job with us, we process personal information such as contact details, CVs, references and other relevant information. The purpose is to be able to evaluate your application. The lawful basis is b) (necessary to perform a) contract, and possibly GDPR Article 9 (2) b) and h) if your application contains special categories of personal information.
For employees, we process personal information as mentioned above, in addition to other general employment data (for payroll, insurance, sick leaves etc.). The purpose is to be able to manage the employment relationship. The lawful basis for this is b) contract, and possibly Article 9 (2) (b) and (h) for special categories of personal information.
You attend our events
When you attend our free events, we process personal information such as contact details and, sometimes, dietary and/or access requirements. For paid events, we also collect order and payment information. The purpose is to be able to process your registration and payment (if applicable). We may also use your data to send you an evaluation of the event you attended, as well as invite you to other relevant events and/or to offer our relevant products and services.
The lawful bases are a) consent, b) contract (for paid events) and/or f), where our legitimate interest is to offer you relevant products and services. If we collect any information about dietary and/or access requirements, we also need your consent under GDPR Article 9 (2) (a).
You respond to our evaluations or surveys
Responding to our evaluations and surveys are voluntary. We process personal information such as contact details and other information you choose to share with us. When it’s anonymous, we don’t process any personal data.
The purpose is to gather your feedback so that we can continuously improve our products and services, as well as provide you with better customer service in the future. The lawful basis is a) consent.
You supply services to or collaborate with us
When you enter into an agreement with us either as a vendor, partner or data processor, we process personal information such as contact details and correspondence. The purpose is to be able to enter into this agreement and to respond to your inquiries and the lawful basis is b) contract.
Your personal information is only retained for as long as we have a purpose and a lawful basis:
Until you withdraw your consent (e.g. for email and SMS marketing)
For as long as we have a contractual obligation, and, if applicable, in accordance with accounting and bookkeeping rules (e.g. for sales)
For as long as we have a legal obligation; in accordance with accounting and bookkeeping rules and/or other legal requirements (e.g. for employment)
For as long as we have a legitimate interest or until you ask us not to process your data in such a way (e.g. marketing to existing customers and use of CRM system)
As a rule, employee information is deleted when the employment relationship ends, unless exceptional reasons (such as a dismissal or dismissal dispute) make it necessary to keep it longer. Job applicants can ask us to retain their data for other applications in the future, otherwise the information is deleted when a candidate has been selected.
We retain personal information in our CRM, or any other system, no longer than we have a lawful basis to do so and we have implemented routines in our business to ensure this.
Finally, you can always withdraw your consent for any data processing based on consent, and you can reach out to us at any time if you’d like us to stop processing and/or ask us to delete any of your data.
In order to run our business efficiently and securely, we sometimes will have to share your personal information with other parties such as:
Data processors: providers of various services that process your personal information on our behalf (e.g. for IT and administrative services, accounting, cloud storage, web hosting, e- mailing etc.)
Professional advisors from industries such as law, finance, accounting, auditing and insurance
IT and other systems support, e.g. for our CRM, cloud storage etc.
Public authorities we are obliged to report to
We require all such recipients to secure data in accordance with good information security and as per the requirements of the Privacy Policy. We enter into a data processing agreement with everyone who processes data on our behalf.
In some cases, your personal information will be transferred outside the EU/EEA, e.g. where we use data processors to manage cloud storage, email services, web hosting etc.
We only use data processors we trust, that are well known and that we have entered into a data processing agreement with. We also make sure necessary safeguards are in place like Privacy Shield for American data processors and/or the EU Model Clauses.
We take information security seriously and we will always do our utmost to safeguard your personal information in the best possible way. For example, we use strong passwords, data encryption, access control and two-factor authentication to secure our data and prevent unauthorized persons from accessing, altering, deleting, or in any way affecting the data we store, including your personal information.
We only allow others to access and/or process your personal information in accordance with our instructions, and only when strictly necessary (e.g. when we require IT support).
We have devised a policy for technical and organisational measures and routines for managing data breaches. If we experience a personal data breach, i.e. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, and it poses a medium to high risk for the data subjects, we will notify the national data authority (Datatilsynet) within 72 hours. If the risk is deemed high for the data subject, we will also notify them directly, if possible.
We don’t process any personal information through our website. We use Google Analytics with the anonymization filter enabled, so no IP addresses are processed by us or by Google. We don’t collect data through forms or social media buttons.
Please note that this document is protected by copyright and you may not copy any text from it.