2. Parties and definition
In this policy, “you” and “your” means any covered individual. “We”, “us”, “our” and “NBT AS” means NBT AS.
“Personal Data” is defined as any data that relates to an identified or identifiable individual or a person who may be identified by means reasonably likely to be used.
This policy applies to NBT AS’ dimensions and activities, in all geographies where we operate, where the GDPR applies. The policy applies to the Processing of Personal Data collected by us, directly or indirectly, from all individuals including, but not limited to our current, past or prospective job applicants, employees, consultants, clients, consumers, children, suppliers/vendors, contractors/subcontractors, shareholders or any third parties.
4. Collection and processing use of your personal data
Compliance with the european data protection law and any additional applicable data protection local law
We are committed to complying with any applicable legislation relating to Personal Data and we shall ensure that Personal Data is collected and processed in accordance with provisions of the European data protection law and other applicable local law, if any.
Lawfulness, fairness and transparency
We guarantee that your Personal Data is processed in a lawful, fair and transparent manner. This means that we do not process Personal Data without a legal basis (for more information, see the section «Legal grounds for processing»).
At the same time, we may have to collect and process your Personal Data where necessary for the performance of a contract to which you are party, or when it is necessary for compliance with a legal obligation to which we are subject or where required, with your prior consent. We may also collect and process your Personal Data for our legitimate interests, except where such interests are overridden by your interests or fundamental rights and freedoms.
When collecting and processing your Personal Data, we will provide you with a fair and full information notice or privacy statement about who is responsible for the processing of your Personal Data, for what purposes your Personal Data are processed, who the recipients are, what your rights are and how to exercise them, etc., unless it is impossible or it requires disproportionate efforts to do so.
When required by applicable law, we will seek your prior consent (e.g. before collecting any sensitive Personal Data). For instance, clicking on the button “I agree to the processing of the personal information that I leave for the above use” on our website, you agree that the personal information that you fill in / give us can be used for the use that is formulated in the consent.
Legitimate purpose, limitation and data minimization
Your Personal Data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Some examples of times in which we collect information are: when entering into agreements on services with suppliers and customers, when filling in contact information on our website, when contacting us by e-mail, telephone, website and social media, when registering to receive newsletters, when registering to participate in information meetings. Also note that if you visit our website, this will generate data, in addition to, for instance, IP address, device type, operating system and browser type used.
When we act for own purposes, your Personal Data is processed mainly for, but not limited to, the following: recruitment management, human resources management, accounting and financial management and related controls and reporting, finance, treasury and tax management, risk management, management of employees’ safety, provision of active directory, IT tools or internal websites and any other digital solutions or collaborative platforms, IT support management , including infrastructure management, systems management, applications, health and safety management, information security management, client relationship management, bids, sales and marketing management, supply management, internal and external communication and events management, compliance with anti-money laundering obligations or any other legal requirements, data analytics operations, legal corporate management and implementation of compliance processes.
Data accuracy and storage limitation
We will keep Personal Data that is processed accurate and, where necessary, up to date. We will take all expected measures to ensure that incorrect information is deleted or corrected.
Also, we will only retain Personal Data for as long as necessary for the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements and, where required for us to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled. If you want to learn more about our specific retention periods for your Personal Data established in our retention policy you may contact us at email@example.com.
We also guarantee that your personal information is not stored in a format that makes it possible to identify you for longer than is necessary for the use for which the information is adapted. for. Upon expiry of the applicable retention period we will securely destroy your personal data in accordance with applicable laws and regulations.
5. Legal grounds for processing
Processing shall be lawful only if and to the extent that at least one of the following applies (ref. General Data Protection Regulation, §6):
a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c. processing is necessary for compliance with a legal obligation to which the controller is subject;
d. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
6. Security of your personal data
We implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful alteration or loss, or from unauthorized, use, disclosure or access, in accordance with our security guidelines and policies. We take, when appropriate, all reasonable measures based on Privacy by design and Privacy by default principles to implement the necessary safeguards and protect the Processing of Personal Data. We also carry out, depending on the level of risk raised by the processing, a Privacy impact assessment (“PIA”) to adopt appropriate safeguards and ensure the protection of the Personal Data. We also provide additional security safeguards for data considered to be Sensitive Personal Data.
7. Disclosure of your personal data
We are very strict about who will have access to your personal information and only people who need access to such information will have this. We share your Personal Data, only in the following circumstances:
- internally for the purposes described in this policy;
- with third parties, including certain service providers we have retained in connection with the purposes described in this policy and the services we provide;
- with companies providing services for money laundering and terrorist financing checks and other fraud and crime prevention purposes and companies providing similar services, including financial institutions and regulatory bodies with whom such Personal Data is shared;
- with courts, law enforcement authorities, regulators, government officials or attorneys or other parties where it is reasonably necessary for the establishment, exercise or defense of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process;
- with service providers who we engage within or outside of NBT AS, domestically or abroad, e.g. shared service centers, to process Personal Data for any of the purposes listed above on our behalf and in accordance with our instructions only;
- if we sell or buy any business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets to whom we assign or novate any of our rights and obligations.
Children merit specific protection with regard to their Personal Data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the Processing of Personal Data. Such specific protection should, in particular, apply to the use of Personal Data of children for the purposes of marketing or creating personality or user profiles and the collection of Personal Data with regard to children when using services offered directly to a child.
We do not collect and process Children’s Personal Data without the consent of the holder of parental responsibility where required. In particular, we do not promote or market our services to Children, except for specific services and upon the consent of the holder of parental responsibility. If you believe that we have mistakenly collected a Children’s Personal Data, please notify us using the contact details provided below.
9. International personal data transfers
In accordance with the GDPR, it is not permitted to transfer Personal Data to third countries outside the EEA that do not ensure an adequate level of data protection. Some of the third countries in which we operate outside of the EEA do not provide the same level of data protection as the country in which you reside and are not recognized by the European Commission as providing an adequate level of protection for individuals’ data privacy rights.
As it in some cases may be necessary for such transfers to such countries, we have put in place an adequate safeguard to protect your Personal Data. You will be provided with more information about any transfer of your Personal Data at the time of the collection of your Personal Data through appropriate privacy statements. For further information, including obtaining a copy of the documents used to protect your information, please contact us at firstname.lastname@example.org
11. Your rights
You have a number of rights when it comes to your personal information, and you have the opportunity to influence the information and what is stored. Among other things, you have the right to receive information about what data we have stored. You can also demand that we correct incorrect information or delete your information. You can contact us at any time and request that your information be deleted or that the use of the information be restricted.
Below is a table that summarizes your various rights:
|Right of access and rectification||You can request a copy of the Personal Data we have on you. You may also request rectification of inaccurate Personal Data, or to have incomplete Personal Data completed.|
|Right to erasure||Your right to be forgotten entitles you to request the erasure of your Personal Data in cases where:
I. the data is no longer necessary for the purpose for which it was collected;
II. you choose to withdraw your consent;
III. you object to the processing of your Personal Data;
IV. your Personal Data has been unlawfully processed;
V. there is a legal obligation to erase your Personal Data;
VI. erasure is required to ensure compliance with applicable laws.
|Right to restriction of processing||You may request that processing of your Personal Data be restricted in the cases where:
I. you contest the accuracy of your Personal Data;
II. we no longer need your Personal Data for the purposes of the processing;
III. you have objected to processing for legitimate reasons.
|Right to data portability||You can request, where applicable, the portability of your Personal Data that you have provided us without hindrance where:
a. the processing of your Personal Data is based on consent or on a contract; and
b. the processing is carried out by automated means.
You can also request that your Personal Data be transmitted to a third party of your choice (where technically feasible).
|Right to object to processing||You may object (i.e. exercise your right to “opt-out”) to the processing of your Personal Data. When we process your Personal Data on the basis of your consent, you can withdraw your consent at any time.|
|Right not to be subject to automated decisions||You have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal affect upon you or significantly affects you.|
|Right to lodge a Complaint||You can choose to lodge a Complaint with the Supervisory Authority in the country of your habitual residence, place of work or place of the alleged infringement, regardless of whether you have suffered damages.
You also have the right to lodge your Complaint before the courts where we have an establishment or where you have your habitual residence.
If you wish to withdraw your consent or request access to your Personal Data, corrections or erasure, you can contact us by using the contact information found in the «contact us» section. At the same time, we ask you to fill out our Request Form and include as an attachment if sending by e-mail. You may also fill out the form directly on our website and send the form from there. If you have any questions concerning the request or complaint process, you may find the answers in our Guidelines for complaints and requests.
If you feel that your rights are not being respected, please do get directly in touch with us (see contact details below) or to Datatilsynet (email@example.com).
We may update this policy from time to time as our business changes or legal requirements change. If we make any significant changes to this policy, we will post a notice on our website when the changes go into effect, and where appropriate, communicate directly with you concerning the change.
13. Contact us
If you have questions, comments and requests regarding this policy, you may contact us on firstname.lastname@example.org. You may also contact us through the following mailing address: