1. About Privacy
This policy is intended to help us comply with the Personal Data Act of 2018. The policy shall also help to prove that our processing of personal data is in accordance with the law.
2. Responsibility for the processing of personal data with us
The company is responsible for personal data we process, for example about our own employees, contact persons of customers and suppliers, private customers, and other business contacts. The company is responsible for complying with the obligations that follow from the rules on personal data.
The day-to-day processing is the responsibility of the Managing Director
3. Knowledge of the rules on personal data
We shall ensure that the relevant employees are familiar with the rules on personal data, including this policy on privacy. The level of evasion shall be adapted to the individual employee's processing of personal data. We will assess whether some groups of employees need special knowledge, such as personnel functions and IT managers. Our management must always be familiar with the regulations.
4. Mapping of the processing of personal data
We will map all processing of personal data. We will do this in a form where we specify, among other things, categories of data subjects, purposes of processing, how we process the data and what grounds it has for the processing. The forms shall help us to comply with the rules on the processing of personal data.
5. Basic requirements for the processing of personal data
The Act sets out six grounds that apply to all processing of all personal data. We shall ensure that personal data shall:
1) processed in a lawful, fair, and transparent manner with respect to the data subject ("legality, fairness and transparency")
2) collected for specific, expressly stated, and justified purposes and not further processed in a manner incompatible with these purposes ("Purpose Limitation")."
3) be adequate, relevant, and limited to what is necessary for the purposes for which they are processed ("Data Minimization")."
4) be correct and, if necessary, up to date; reasonable measures must be taken to ensure that personal data that is incorrect with respect to the purposes for which it is processed is deleted or corrected without delay ("correctness")."
5) stored so that it is not possible to identify the data subjects for longer periods than is necessary for the purposes for which the personal data is processed ("storage limitation")
6) be processed in a manner that ensures adequate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures ("integrity and confidentiality")
If personal data is used for purposes other than those for which it is collected, see section 2 above, we shall always consider whether the new or changed purpose is compatible with the original. We shall then consider the factors set out in Article 6 no. 4 of the General Data Protection Regulation.
6. Basis for processing personal data
6.1. Basis for processing personal data
We shall have at least one of the following grounds for all processing of personal data:
1) the data subject has given consent to the processing of their personal data for one or more specific purposes
2) the processing is necessary to fulfil an agreement to which the data subject is a party, or to act at the data subject's request prior to entering into an agreement
3) processing is necessary to fulfil a legal obligation incurred by the data controller
4) the processing is necessary for purposes related to the legitimate interests pursued by the data controller or a third party, unless the data subject's interests or fundamental rights and freedoms take precedence over and require the protection of personal data, especially if the data subject is a child (balancing of interests)
It shall be stated in the survey form what basis we have for processing information.
If the basis for processing is the consent of the data subject (see no. 1), we shall familiarize ourselves with the special rules that apply to such consents, including the requirement for documentation.
If the basis for processing is our legitimate interest (balancing of interests) (see no. 4), we shall concretely and in writing document the assessment, see more detail below.
Processing data is essentially a legal obligation. Some of the treatment is also based on a balancing of interests. We need to document that we have fulfilled obligations under law and agreement after they have been fulfilled. We also need human resources documentation to be used for future human resources. These are legitimate interests. It is not possible to access the information in any other way than to store the information. Treatment is therefore necessary.
Our employees have an ongoing contractual relationship with us. The personal data we process is linked to this contractual relationship. It is largely a matter of information that employees have given us. The information relates to matters that an employer treats.
We believe that the legitimate interest takes precedence over the employee's interests.
6.3. Former employees
The processing of most of the personal data is based on a balancing of interests. We may need to document personnel matters even after the employment relationship has ended, such as a dispute with the former employee. This may apply, for example, to documentation that we as an employer have fulfilled our obligations under legislation or the employment agreement. This is a legitimate interest. It is not possible to access the information in any other way. Treatment is therefore necessary.
The process is to store the information for up to twelve months. We can store information that the employee has been employed, duration of employment and work tasks can be stored for longer. The information will not be disclosed to others unless requested by the former employee, for example in connection with the assessment of employment with a new employer.
We believe that the legitimate interest takes precedence over the interests of the former employee.
6.4. Job seekers
The processing of personal data is based on a balancing of interests. We need to use information to assess applications that job seekers send us. This is a legitimate interest. It is not possible to consider an application without processing personal data. Treatment is therefore necessary.
We ask those who want to apply for a job with us to send us the least information about their name, education, work experience, reference persons, etc. (CV). Job seekers will often provide additional personal data they consider relevant to the assessment of the application, for example contact information, family circumstances and interests, as well. In interviews, we ask questions to determine whether the job seeker fits the position. In some cases, we may use tests or question forms for this purpose. If it becomes relevant to hire the job seeker, we may ask for further information as well as for documentation for information we have already received. It is voluntary to provide us with information.
We do not use the information for anything other than to assess the application. We do not provide the information to anyone else. We may retain information from job seekers for six months in case job seekers believe that their rights have not been fulfilled.
We believe that legitimate interest takes precedence over the job seeker's interests.
6.5. Contact persons at vendors
The processing of personal data is based on a balancing of interests. We need to keep in touch with our suppliers to follow up on offers, orders and deliveries, among other things. This is a legitimate interest. That contact becomes effective just by contacting individuals directly. Treatment is therefore necessary.
The processing takes place in relation to the contact person's employer, who wants to be a supplier with us. In addition to names, we process contact information, such as telephone number, email address and employer, all of which are linked primarily to the contact person's working conditions and not to the contact person's private life. The scope of the information is very limited. The processing of the data is related to the supplier's business activities and not to the contact person's private life. Our processing of personal data is clearly foreseeable for the contact person.
We believe that the legitimate interest takes precedence over the interests of the contact person.
6.6. Contact persons at customers
The processing of personal data is based on a balancing of interests. We need to keep in touch with our corporate customers to follow up on offers, orders and deliveries. This is a legitimate interest. That contact becomes effective just by contacting individuals directly. Treatment is therefore necessary.
The processing takes place in relation to the contact person's employer, who is the customer with us. In addition to names, we process general information, such as telephone number, email address and employer, all of which are linked primarily to the contact person's working relationship. The scope of the information is therefore limited. The processing of the data is related to the supplier's business activities and not to the contact person's private life. When consent is required under the Marketing Act, the contact person will also have given consent before sending marketing emails. Our processing of personal data is clearly foreseeable for the contact person.
We believe that the legitimate interest takes precedence over the interests of the contact person.
6.7. Other contact persons
Processing personal data is based on balancing interests. We need to have contact with public authorities, such as NAV and supervisory authorities in connection with public law matters where we may have obligations and rights. This is a legitimate interest. In some cases, that communication may be effective only if we can contact individuals directly. Treatment is therefore necessary.
We store your name and contact details and we use the information to contact the person's employer. The information is related to the contact person's employer's activities and not to the contact person's private life. Our processing of personal data is clearly foreseeable for the contact person.
We believe that the legitimate interest takes precedence over the interests of the contact person.
7. Basis for processing sensitive personal data
Processing of sensitive personal data requires a basis for processing in addition to those mentioned in section 6.
Sensitive personal data are information about racial or ethnic origin, political opinion, religion, conviction, or trade union membership, as well as genetic and biometric information for the purpose of unambiguously identifying a natural person, health information or information about a natural person's sexual relationship or sexual orientation.
If we are to process such information, we shall ensure that we have a basis for processing. For our employees, information about health and union membership will be particularly relevant. Health includes, for example, illness and injuries and absence justified in this. A particularly relevant basis for processing will be that treatment is necessary in the capacity of the employer, for example when following up and reporting to public authorities or in the event of facilitation of the employment relationship.
The processing of information about criminal offences and offences etc. is subject to special rules that we shall familiarize ourselves with if we are to process such information.
8. Information for the data subjects (personvernerklæring)
We shall provide statutory information to the data subjects. We will provide such information in a privacy statement. All data subjects shall have access to the information concerning them. We provide information to employees in a personnel folder.
The information shall include, among other things, the name of the company and contact information, the purpose of the processing, the categories of personal data, recipients of personal data (if it is disclosed), information about any disclosure of personal data to other countries, how long the personal data will be stored, the data subjects' right to demand access, rectify or demand the removal of the personal data, how the business accessed the personal data and the opportunity to complain business to the Norwegian Data Protection Authority.
9. Data subjects' rights
We will respond to inquiries from data subjects without undue delay. If we receive such inquiries, they should be sent to Managing Director
We will ensure that registered people have their rights with us.
10. Easing of personal data
We will delete personal data without undue delay when it is no longer "necessary" for the purpose for which it was collected or processed. At least once a year we're going to go through this.
As a rule, we retain all information for the duration of the employment period. Employees can request that information be deleted. This will be assessed specifically. The legislation may require a longer retention period.
Former employees and job seekers
See above about the basis for processing for these categories. The legislation may require a longer retention period than stated therein.
Contact persons of vendors and customers
We will delete the information when we become aware that the contact person has left the supplier or customer or that the supplier or customer has appointed a new contact person. The same applies when the supplier or customer relationship has ceased.
We may still store the information for an extended period if we believe that documentation of the contact we have had with the supplier or customer may be required. This may apply, for example, to questions about rights or obligations in the contractual relationship with the supplier or customer. The legislation may also impose requirements for longer retention periods.
Other contact persons
We will delete the information when we become aware that the person is no longer relevant to our needs, including if the person leaves that company, the public agency, etc.
We may still store the information for an extended period if we believe that documentation of contact with the person or the person's employer may be required. This may apply, for example, to questions about rights or obligations in contractual, public law or other matters.
11. Data protection officer
We have assessed whether GDPR requires our company to have a data protection officer.
We have no or very few natural persons as customers. We do not conduct regular and systematic monitoring of a large scale of data subjects. For most categories of data subjects, we generally process ordinary personal data such as name, address, employer, email address, telephone number, etc. We process certain sensitive information about employees.
We have concluded that our company is not subject to the requirement to have a data protection officer.
12. General risk assessment
We shall risk-assess the processing of personal data. This assessment shall enable us to identify and define what security measures we are going to implement.
The assessments shall apply to the probability and severity (risk) of a person’s “rights and freedoms", such as physical injury, damage to things or wealth and medical damage. Examples of injuries include discrimination, identity theft, reputational damage, loss of social esteem, confidential information being known to unauthorized persons and unacceptable interference with privacy.
The mapping show that we:
- •to a large extent only processes ordinary contact information, such as name, address, employer, email address, telephone number, etc.
- processes information about employees who are common for managing personnel matters, including compliance with statutory obligations
- have few or no private customers
- do not process information about children
- processes data that is part of ordinary business activities
We've never been the victim of a data breach. We are also not aware that outsiders have shown interest in the personal data we process. We therefore believe that it is unlikely that the information is subject to violations.
Based on the nature and extent of the information we process; we believe that the consequences of violations will not be serious.
When it comes to some of the information about employees, both the probability and seriousness of violations are somewhat greater. We therefore have our own procedures for processing such information, including restricting access to it.
We will risk-assess changes that may affect information security, such as when we purchase new IT services.
The results of risk assessments must be approved by the person who has the dayto-day treatment responsibility of one in the enterprise.
13. Security of information
Under the Act, we shall take appropriate technical and organisational measures to achieve a level of security corresponding to the risks associated with our processing of personal data. We will then consider the condition of the technique, the implementation costs and the nature, scope, and purpose of the treatment, as well as the context in which it is carried out.
Our risks are assessed overall in the section above.
Against this background, we have implemented these measures:
- It is designated a person with us with special task to ensure security.
- Unauthorized persons shall be prevented from accessing the personal data or equipment on which they are stored,
- It shall be ensured that the enterprise's network is protectedfrom entry from external networks with a firewall that only passes through the necessary data traffic,
- It shall be ensured that the enterprises' networks are protected from the use of unauthorized persons, for example when securing wireless networks.
- Additional measures shall be implemented for particularly protective information such as sick leave, information about facilitation of the workplace, assessments of the employee, comments, and warnings.
- Employees shall be trained in the use of the company's IT system.
14. Deviations, analysis of nonconformities and measures to correct them
We must find out whether the processing of personal data follows the rules of the Personal Data Act and the routines in this document. If that's not the case, we need to figure out how to increase compliance. We will document in writing both what discrepancies we have found and what we have done to correct them.
In the survey form, answers to question 15 may summarise deviations for each category of data subjects. The person filling out the form must notify the Managing Director of such nonconformities. The person who discovers nonconformity shall initiate immediate action if necessary to limit or prevent significant inconvenience or consequential damage. The person receiving the notification must first consider whether immediate action is necessary. The person concerned shall then ensure that measures are implemented to prevent nonconformities from happening again.
If it turns out that the routines are not aligned well enough with our company, we should consider changing the routines, see section 18.
15. Purchase of IT services – data trade agreements
Normally, we will act as data controller when the company purchases IT services from a service provider. We are then still responsible for ensuring that data protection legislation is complied with when purchasing IT services, such as HR solutions or customer databases/CRM.
Before purchasing IT services, we must therefore, among other things, assess whether the supplier satisfies the requirements for security required by the Personal Data Act (Article 32). Serio’s suppliers will often be able to document that they meet the requirements. We must also ensure that we enter into a data processing agreement that regulates how the data processor will handle the personal data it receives from and processes on our behalf. Suppliers will often have their own agreements that meet the regulatory requirements.
If the service provider is to transfer personal data to countries outside the EU/EEA, there must be a legal basis for this.
16. Breach of personal data security
In the event of a breach of personal data security (such as hacker attacks or loss of personal data), we shall immediately contact the Norwegian Data Protection Authority to find out what we should do.
"Breach of personal data security" means breaches that lead to accidental or unlawful destruction, loss, alteration, unlawful dissemination of or access to personal data that we process.
In the event of certain breaches of personal data security, we shall notify the Norwegian Data Protection Authority and occasionally also the data subject. Notification to the Norwegian Data Protection Authority shall take place immediately, and no later than 72 hours after we became aware of the breach. It is not necessary to notify the Norwegian Data Protection Authority if it is unlikely that the breach of personal data security will carry a risk to the rights of individuals. An example is where a security breach has resulted in unauthorized persons gaining access to personal data that is already publicly available.
We are obliged to notify the data subject if it is likely that the breach of personal data security will entail a high risk to the rights and freedoms of individuals. We believe that our processing of personal data can only lead to such risks in exceptional circumstances.
We shall document any breaches of personal data security. We do this by describing the actual circumstances surrounding the breach ("What happened?"). In addition, we will describe the effects of the breach and what measures have been taken to remedy the breach. This documentation shall enable the Norwegian Data Protection Authority to check that the enterprise has complied with the requirements of the Act.
17. Assessment of person protection consequences and preconsultation with the Norwegian Data Protection Authority
We will investigate the privacy implications when planning a processing of personal data that is likely to pose a high risk to people's rights, such as the right to privacy. In assessing whether such an investigation is necessary, we shall consider the nature, scope, coherence, and purpose of the treatment. It should also consider whether it uses new technology.
There are several types of cases where it is necessary to investigate privacy consequences: systematic and comprehensive assessment of personal circumstances when the data is used for automated decisions, the processing of sensitive personal data largely or systematic monitoring of public areas to a large extent.
In the cases above, we will familiarise ourselves with the special rules that apply, including that the Norwegian Data Protection Authority shall occasionally be involved in pre-discussions.
18. Review, update, and revision of the policy
We will update and revise this policy regularly. The background for this is, among other things, that the rules in law and regulations may change, our processing of personal data may be changed, or experience may indicate that we should change our routines. For the same reasons, we will also regularly review and update the forms with mapping of the processing of personal data.
The Managing Director is responsible for ensuring that the need for changes and revisions is identified and incorporated into the document and in the form. This should be done bi-annually.