Guidelines for complaints and requests
Ensuring that all complaints and requests are handled efficiently, quickly and attentively is one of our goals. This applies to all questions related to our processing of Personal Data. In some cases, we may act as data processors on behalf of a client. In such cases, the client will be responsible for the handling of registered requests related to compliance with GDPR and the data subject’s Personal Data.
In this policy, “you” and “your” means any covered individual. “We”, “us”, “our” and “NBT AS” means NBT AS.
- Client means organisations or corporations that ask NBT AS to perform services on their behalf for their employees/consultants (who are users of these services).
- Complaint means the complaint lodged by a Data subject with a Supervisory Authority or a court of justice if the Data subject considers his or her rights under GDPR are infringed.
- Controller means the entity that determines the purposes and means of the Personal Data processing.
- Data subject means an identified or identifiable individual whose Personal Data is concerned by processing of NBT AS, including the Personal Data of NBT AS current, past and prospective applicants, employees, clients, consumers/beneficiaries, suppliers/vendors, contractors/subcontractors, shareholders or any third parties.
- General Data Protection Regulation or GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
- Personal Data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Processing or Personal Data Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Request means one of the mechanisms provided by the GDPR to individuals to allow them to exercise their rights (such as the right of access, to rectification, to erasure etc.). An individual may make a Request against any entity which processes its Personal Data.
- Supervisory Authority means an independent public authority which is established by a Member State as specified in the GDPR.
Your rights under GDPR
Where we process Personal Data on behalf of a Client, we will notify the Client of any Data Subject’s Request received. We will furthermore cooperate and provide the Client with assistance in relation to the Request, to the extent legally permitted and agreed.
- To enable us to assist you as quickly and efficiently as possible, please provide a full written explanation of your query by completing the Request Form. For more information, see the “Request Form” section.
- In cases where we only act as data processors on behalf of a Client, we shall inform our Client acting as Controller of any Request made by a Data Subject as soon as possible. The Client will be in charge of handling such Request and NBT AS will assist the Client in responding to Data Subject Requests. NBT AS will directly handle Requests only when it is agreed with the Client or if the Client disappears, ceases to exist by law or becomes insolvent. In all other cases, NBT AS will assist the Client in responding to Data Subject Requests.
- Your Request will be treated confidentially and fully investigated where necessary. During this process, you may receive additional communication from us in order to investigate your concern. If you have not provided sufficient information in your Request, we will let you know what further information is needed.
- Once the information related to your Request is complete, we will contact you within thirty (30) days to provide you with an answer. This deadline may be extended in certain circumstances, depending on the nature of the Request.
Our approach is to engage positively and to resolve your Request in a satisfactory manner without you having to file a complaint with the local Court or the relevant Supervisory Authorities. Please note that you can choose to lodge a complaint with the Supervisory Authority in the country of your habitual residence, place of work or place of the alleged infringement, regardless of whether you have suffered damages. You also have the right to lodge your complaint before the courts where we have an establishment or where you have your habitual residence.
If you have any queries with the processing of your Personal Data, you should not hesitate to raise your query to NBT AS. To help us to deal with your Request, please provide a full written explanation of your query by completing the Request Form.
To be sent by email to the generic e-mail address as indicated in the information notices and/or the privacy policies provided to you at the time of the collection of your Personal Data. It can also be sent through the form embedded in our website or manually to email@example.com. The request form can be found here.
The information collected in the form is intended to enable us to quickly and efficiently respond to your request. After the request has been treated, the information will be archived for five years and then deleted. For any questions related to this request form, please contact us by using the following e-mail address: firstname.lastname@example.org.