Data Protection Legislation
Any personal data that you make available to us on the Website will be processed in accordance with the applicable minimum requirements set out in the Norwegian Personal Data Act and EU personal data legislation and UK personal data legislation (referred to in this Policy as the “Data Protection Legislation”). Where these 3 laws are not identical we will apply the law which provides the best protection for your personal data.
Personal Information We May Collect from You
We may collect and process the following data about you:
- Personal Information you give us. You may give us personal information by filling in forms on our Website or by corresponding with us by phone, e-mail or otherwise. This includes information you provide when you register to use the Website, when you submit employment applications or information on the Website, when you report a problem with the Website when you provide us with your information in order to fulfil a contract with us or in anticipation of entering into a contract with us. The information you give us may include your name, address, e-mail address and phone number, personal description and photograph, and CV. By providing information to us, you warrant that such information is accurate and correct and that you are authorised to provide such information where the personal data is not your own.
- Personal Information we collect about you. With regard to each of your visits to the Website we may automatically collect the following information (‘Cookies’):
- technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and
- information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); services you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
We do not normally collect or process any special category information. (This is defined in the Data Protection Legislation as information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.)
Use of Your Personal Information
We may use personal information we hold about you to improve our services, to contact you with regard to services about which you have enquired, to make available targeted information, and to reply to and process requests and enquiries, to provide our services to you and receive services you are providing to us. We may also use the information automatically collected (via Cookies) for site management and improvement and, in the case of suspected unauthorised activity, for law enforcement and prosecution purposes.
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with, or receive from you, goods or services). In this case, we may have to cancel the supply or order for a product or service, but we will notify you if this is the case at the time.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Lawful Basis for Our Use of Your Personal Information
We will only use your personal data when the law allows us to do so. Most commonly, we will use your personal data in the following circumstances:
- where we need to perform the contract we are about to enter into or have entered into with you.
- where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- where we need to comply with a legal obligation.
Generally, we do not rely on consent as a legal basis for processing your personal data. If we are relying on your consent to process your personal data you have the right to withdraw such consent (e.g. to certain types of marketing) at any time by contacting us.
Disclosure of Your Personal Information
We may share your personal information with any of our affiliated companies. We will not share your personal data with any other third party unless:
- this is necessary to provide you with our services;
- it is to improve our services, such as sharing it with analytics and search engine providers that assist us in the improvement and optimisation of the Website; or
In each of these cases we will only disclose your personal information to the relevant third parties.
We do not sell personal information to third parties.
Storage of Personal Information and transfers out of the UK and/or EEA
The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps necessary to ensure that if your data is transferred outside the EEA such a transfer is in accordance with the security requirements set out in the Data Protection Legislation.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK/EEA.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Data retention – for how long will we use your personal data?
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint, or, if we reasonably believe there is a prospect of litigation with respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Details of retention periods for different aspects of your personal data are available in our retention policy which you can request by contacting us.
By law we have to keep basic information about our customers (including contact, identity, financial and transaction data) for six years after they cease being customers for tax purposes.
In some circumstances you can ask us to delete your data: see your legal rights below for further information.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Further to the Data Protection Legislation under certain circumstances you have the right to:
- access your personal information and
- modify any false information,
- request your data be erased entirely
- object to processing of your personal data
- request restriction of processing your personal data
- request transfer of your personal data
- withdraw consent to processing (where we are only relying on your consent as the lawful basis for such processing)
You can exercise these rights at any time by contacting our Data Protection Manager at firstname.lastname@example.org.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We have a legal obligation to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Links to other websites
The Website may, from time to time, contain links to and from third-party websites. If you follow a link to any of these websites, please note that we do not accept any responsibility or liability for these policies. Please check the privacy policies on such third party websites before you submit any personal data to them.
Your right to complain
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk) if you are an individual based in the UK, or, if you are in another jurisdiction within the EU, you can complain to the relevant supervisory authority.
We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Automated Decision-Making (ADM): when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not Automated Processing.
Automated Processing: any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing.
Company Personnel: all employees, workers, contractors, agency workers, consultants, directors, members and others.
Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signify agreement to the Processing of Personal Data relating to them.
Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. We are the Controller of all Personal Data relating to our Company Personnel and Personal Data used in our business for our own commercial purposes (such as supplier and client contact information).
Criminal Convictions Data: means personal data relating to criminal convictions and offences and includes personal data relating to criminal allegations and proceedings.
Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programmes involving the Processing of Personal Data.
Data Protection Officer (DPO): the person required to be appointed in specific circumstances under the relevant GDPR. The Company does not currently require a DPO to be appointed either under the UK or EU GDPR and any queries regarding the processing of personal data are to be addressed to the [DP Manager].
Explicit Consent: consent which requires a very clear and specific statement (that is, not just action).
UK GDPR: the retained EU law version of the General Data Protection Regulation ((EU) 2016/679). Personal Data processed in the UK is subject to the legal safeguards specified in the UK GDPR.
Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Special Categories of Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.
Privacy by Design: implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.
Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.
Special Categories of Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.