1. Data Controller
This Privacy Policy explains how we collect and use (process) personal data in our business. INNORWEGIAN AS, represented by its Managing Director, is the data controller for the processing.
Our contact information is:
We take your privacy seriously, and we have taken several steps to make sure we give you clear information about how we process your data and what rights you have. If anything is unclear or missing, please do not hesitate to contact us.
2. Your Rights
Please contact us if you have any questions about your rights or wish to exercise any of them. You are entitled to a response within 30 days. You can read more on the website of the Norwegian Data Protection Authority (Datatilsynet).
- Access and rectification: You can request a copy of all information we process about you, and ask us to correct information that is inaccurate.
- Erasure or restriction: In certain situations, you may ask us to delete and/or restrict the processing of information about you, but we cannot delete data we are legally required to process.
- Objection to processing: If we process information about you on the basis of legitimate interest, you have the right to object.
- Data portability: If we process information about you on the basis of consent or a contract, you can ask us to transfer the information to you or to another data controller.
- You also have the right to withdraw your consent at any time.
- If you are not satisfied with how we process your data, you can lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) — but we hope you will let us know first so we can try to resolve the matter for you.
3. Whose personal data we process
We process personal data about:
- Customers
- Potential customers
- Contact persons at suppliers and partners
- Website visitors
- Job applicants
- Employees
- Former employees
4. How we collect personal data
Providing personal data to us is voluntary, but in order to complete a transaction we will need a number of details from you.
We process personal data when you:
- purchase our products/services
- contact us by phone, SMS, our website, email or social media
- subscribe to our newsletter
- sign up for events we host
- respond to a survey
- use our website
- apply for a job with us or are employed by us
- are a supplier or partner of ours
5. Purpose, legal basis and storage
Under Article 6(1) of the General Data Protection Regulation (GDPR), personal data may be processed on the basis of:
- Your consent
- A contract we have entered into
- A legal obligation we are subject to
- Protecting the vital interests of the data subject or another natural person
- Performing a task carried out in the public interest or in the exercise of official authority
- A legitimate interest we consider that we have
As a general rule, personal data shall not be processed and stored longer than necessary to fulfil the purpose of the processing. If we process your personal data on the basis of a legitimate interest we consider that we have, you may object to the processing by contacting us. We will then assess your objection and respond promptly.
To ensure compliance, we conduct annual GDPR reviews where we formally assess and review our privacy work. The purpose is to amend, update and, where necessary, delete personal data.
We retain data for as long as we are required to under applicable legal obligations — for example relating to accounting, tax or employment legislation — and/or other relevant rules and regulations. You may contact us at any time if you would like us to stop processing or to delete your personal data, but please note that we cannot delete personal data we are legally obliged to process.
We have procedures in place to ensure that personal data is deleted from all relevant systems when we no longer have a purpose and/or a legal basis for continuing to process it.
Accounting records are retained for up to 5 years, in accordance with the Norwegian Bookkeeping Act (bokføringsloven).
6. How we process personal data
Below, we describe in detail when and how we process your personal data, for what purposes, on what legal basis, and for how long. We process personal data when:
You communicate with us
When you give us your business card, or contact us via our website (contact form, comment field, chat or similar), by email, phone (calls, text messages) or social media, we process personal data. Depending on where and how you send us a message, this may include your name, contact information, IP address and any other information you choose to send us.
The purpose is to be able to respond to enquiries from you, to maintain a record of communications, and to have documentation in case we receive complaints, grievances or legal claims.
The legal basis may be:
- A legitimate interest we consider that we have, where the legitimate interest is to be able to respond to enquiries from you, to maintain a record of communications, and to have documentation in case we receive complaints, grievances or legal claims.
We review, archive and delete enquiries as needed, but no less than once per year.
You purchase our products and services
When you purchase products and services from us, we process personal data such as your name, contact information, order and payment information, and purchase history.
The purpose is to be able to deliver products and services to you following your order/purchase, to maintain a record of products and services sold, and otherwise to administer and follow up on the customer relationship with you.
The legal basis may be:
- A contract we have entered into.
- A legitimate interest we consider that we have, where the legitimate interest is to be able to respond to enquiries from you, to maintain a record of communications, and to have documentation in case we receive complaints, grievances or legal claims.
Marketing within an existing customer relationship
When you become a customer of ours, we process personal data as described above. If you have an existing customer relationship with us, we may send you marketing communications by email and SMS, in accordance with section 15 of the Norwegian Marketing Control Act (markedsføringsloven). The legal basis will then be legitimate interest, but may also be consent.
The purpose of the marketing is to be able to provide good customer service.
You may opt out of marketing by email and SMS at any time. Information on how to opt out is included in all marketing-related emails and SMS messages we send.
You apply for a job or work for us
When you apply for a job with us, we process personal data such as your name, contact information, CV and other information we need to assess your application.
The legal basis may be:
- A contract we have entered into.
The legal basis may vary depending on where we are in the recruitment process and what type of position is involved.
For employees, we process personal data as mentioned above, in addition to information necessary to pay salaries and otherwise administer the employment relationship.
The legal basis may be:
- A contract we have entered into.
- A legal obligation we are subject to.
Most personal data about employees is processed on the basis of the employment contract and is, as a general rule, deleted when the employment ends — unless particular grounds (such as a dispute over termination or dismissal) require it to be retained longer.
You sign up for an event
When you attend free events hosted by us, we process personal data such as your name and contact information. For paid events, we also collect order and payment information. The purpose is to be able to offer relevant courses, talks and workshops, or to fulfil the agreement for the booked event.
The legal basis may be:
- Your consent.
- A contract we have entered into.
- A legitimate interest we consider that we have.
We may also use your personal data to send you a request to evaluate the event you attended, and to invite you to similar events. The legal basis is then legitimate interest, where the legitimate interest is to continuously improve our products and services and to provide good customer follow-up.
How long we store the information depends on the type of event, but it is usually deleted within 12 months at the latest.
You respond to a survey
We always inform you of the purpose of any surveys we conduct, and whether they are anonymous or not. We do not share the information with others, or use it for purposes other than those stated. For anonymous surveys, we do not collect personal data.
The legal basis for non-anonymous surveys may be:
- Your consent.
You are a supplier or partner of ours
When you enter into an agreement with us, whether as a supplier, partner or data processor, we process personal data such as your name, contact information and correspondence.
The purpose is to be able to enter into an agreement with you, and the legal basis may be:
- A contract we have entered into.
- A legitimate interest we consider that we have.
The information is retained for as long as we have an ongoing relationship. We process personal data related to general correspondence and communication as described above.
You use our website
When you use our website, we process personal data in accordance with our cookie policy. The purpose is to administer our website, promote the business and respond to enquiries from visitors. The legal basis for cookies that store or process information falling within section 2-7b of the Norwegian Electronic Communications Act (ekomloven) is consent through a preset in your browser, in line with the recommendations of the Norwegian Communications Authority (Nkom).
7. Who we share personal data with
In order to run our business efficiently and securely, we sometimes need to share your personal data with parties such as:
- Data processors: providers of various services who process your personal data on our behalf*
- Professional advisers from sectors such as law, finance, accounting, auditing and insurance
- Support providers for IT and administration systems
- Public authorities to which we are required to report
We require all parties with whom we share your personal data to safeguard your data in accordance with good information security practices and the requirements of the GDPR. We enter into data processing agreements with all who process data on our behalf, and confidentiality agreements where needed.
*We use data processors for:
- email, calendar and online meetings
- bookkeeping, accounting and invoicing
- cloud storage
- newsletters
- electronic signing
- surveys
For security reasons, we have not named these providers, but please feel free to contact us if you would like to know more.
8. Security
We take information security seriously, and we will always do our utmost to safeguard your personal data in the best possible way. Among other things, we use:
- strong passwords
- backups
- two-factor authentication
to protect our data and prevent unauthorised access to view, modify, delete or in any way affect the data we store, including your personal data.
We only use reputable providers of IT and administration services such as web hosting, website and PC security, antivirus software, email provider, backup, and more. We only allow others to access and/or process your personal data in accordance with our instructions, and only where strictly necessary (for example, IT support).