Processing of personal data – Privacy Notice
Fram Web provides the services GroupAlert and TeamAlert. In connection with our business, we process personal data. All our processing of personal data is in accordance with the privacy regulation in force at any given time, including the General Data Protection Regulation (GDPR).
The following is an overview of Fram Web’s processing of personal data in connection with our business and the background for the processing and the rights of the data subjects in the processing of personal data.
Personal data processed
As data controller
The entity that decides that personal data is to be processed and how the data is to be processed is responsible for processing in accordance with the privacy regulations it the data controller. The entity that processes personal data on behalf of a data controller is the data processor.
Fram Web is responsible for processing the personal data below unless it is specified that we are the data processor for our customers. Our processing as a data controller is based on the business we run and the purpose of our business. See more below about the purpose of the processing of personal data.
We may process personal data about the same person in different contexts as listed below. We may also process personal data in other ways than those mentioned below, but then we will inform the data subjects in other ways than through this privacy notice.
Contact persons at business contacts, customers, suppliers and others
We process information about contact persons for existing customers, suppliers and business partners in order to maintain contact with persons in the companies in connection with agreements and relationships we have with the companies. We then process contact information such as name, job title, e-mail address and telephone.
We also process contact information related to potential customers, suppliers and business partners. In this regard, we process contact information such as name, title, e-mail address and telephone number of people employed in companies that may become our customers, suppliers or business partners. We may also register information related to communicating with the contact person and the company employing the person.
We also have communication with existing and potential contact persons, and personal data will then be processed in connection with e-mail communication and communication in other channels used for such communication.
The processing of personal data related to contact persons is processed on the legal basis of our legitimate interest as a company to process personal data about contact persons at our business partners (GDPR Article 6 (1) f). We have considered that we can use legitimate interest as the personal data processed is limited (only contact information and information related to the company where the person works) so that the processing is not intrusive. We have also implemented measures to ensure that this information is processed sufficiently secure.
Vi har også kommunikasjon med eksisterende og potensielle kontaktpersoner, og det vil da behandles personopplysninger i tilknytning til epostkommunikasjon og kommunikasjon i andre kanaler som benyttes for slik kommunikasjon.
Behandlingen av personopplysninger knyttet til kontaktpersoner er basert på at vi har en berettiget interesse som virksomhet til å behandle personopplysninger om kontaktpersoner hos våre forretningspartnere (se personvernforordningen artikkel 6 nr. 1 bokstav f). Vi har vurdert at vi kan benytte berettiget interesse som grunnlag siden omfanget og sensitiviteten i personopplysninger som behandles er begrenset (kun kontaktopplysninger og opplysninger knyttet virksomheten hvor vedkommende arbeider) slik at behandlingen er lite personverninngripende. Vi har også iverksatt tiltak for å sikre at disse opplysningene behandles på en tilstrekkelig sikker måte.
Other persons contacting us
When people contact us, we will have to process personal data about them, such as contact information and why they contacted us. After we have clarified why the person contacted us, the personal data will be deleted unless the personal data is retained for other reasons, such as that we will contact the person later or that the person has become a customer, supplier or other business partners.
The processing of personal data related to contact persons is based on the legal basis of our legitimate interest as a company to handle inquiries to us (see GDPR Article 6 (1) f). We have considered that we can use legitimate interest as a legal basis since the scope and sensitivity of personal data that is processed is limited and that the person who contacts us decides what information is given to us. Furthermore, the processing is considered not to be invasive and in the data subject’s control. We have also implemented measures to ensure that personal data is processed sufficiently secure.
Communication with our customers, suppliers and others
In our contact with those we work with daily, we use e-mail, telephone and other communication solutions. In such communication, personal data is both stored and processed. We will retain such personal data for as long as is necessary for our processing and then delete it according to our routines.
The processing of personal data in job search and recruitment is based on our legitimate interest as a company in processing personal data in connection with the hiring of new employees (see GDPR Article 6 (1) f). Therefore, we have implemented measures to ensure that the personal data is processed in a sufficiently secure manner, is only available to those with needs for personal data, and that the personal data is deleted after recruitment has been completed. In addition, personal data may be processed due to an agreement being entered into with a jobseeker (an employment contract), which may be processed under GDPR Article 6 (1) b.
Participants in arrangements
We process personal data about those who participate in arrangements and employees with customers, suppliers, and other business partners.
The personal data is processed both to carry out the arrangements and notify previous participants and stakeholders about such events. We then process contact information about the persons, such as name, place of work, title, e-mail address and telephone number, and which event the person has participated in.
We will delete the personal data two years after the event, since we will invite people who have participated in our events again after participating in one of our events.
Personal data related to events is processed both to implement an agreement with the data subjects (GDPR Article 6 (1) b) to participate in events we organise, and for us to have a legitimate interest (GDPR Article 6 (1) f) as a business to arrange events to make our business and products known and market us, as well as to network. We have considered that we can use legitimate interest as a legal basis for the processing as the scope and sensitivity of personal data that processed is limited (only contact personal data and the event the person is or has participated in) so that the processing is not invasive. We have also implemented measures to ensure that this personal data is processed in a sufficiently secure manner.
To ensure that participants with allergies and intolerances to food, etc., we will obtain personal data on whether they have allergies or intolerances. This is to be regarded as a so-called special category of personal data since this is personal health data, and we get consent for the processing. We do not transfer the personal data to others, such as co-organisers, catering, hotels, etc., but only provide personal data on how many people have allergies, etc. and what kind of allergies it is. We also delete this personal data immediately after the event.
Issuing personal data and newsletters
We send information and newsletters to our customers, business partners and other stakeholders and, in this connection, process the names and e-mail addresses of those who have agreed to receive information. The e-mail address will only be processed and retained as long as the persons have consented to receive information. If you sign up for the newsletter, the e-mail address and other personal data related to it will be deleted immediately.
The processing of personal data (i.e. e-mail address) is processed on the legal basis of an agreement with those who have requested notification to send notifications and newsletters, under GDPR Article 6 (1) b. In addition, for persons with whom we do not have an existing customer relationship, we also obtain consent to send out information by e-mail and/or by SMS.
We conduct surveys related to our business from time to time, where the purpose is to get information from stakeholders about our products and services and any other things that may be relevant (and are then informed about in the survey). Information from surveys is not shared with others, except on an aggregated and anonymised level.
The processing of personal data in surveys is based on the legal basis of legitimate interest as we as a company obtain information from customers, suppliers and other stakeholders, see GDPR Article (1) f. We have considered that we can use legitimate interest as a basis since the scope and sensitivity of processing personal data is limited and that the processing is not intrusive. We have also implemented measures to ensure that this personal data is processed sufficiently secure.
Information collected from surveys is only retained until we have results from the survey.
Users of our webpages
We process information about visitors to our websites, but such information will not be connected to individuals and is therefore not considered personal data.
In addition, we use third-party services, which means that personal data about users is processed as our chat solution, but if no personal data is entered into or processed in these services.
When using our websites, the processing of personal data is processed on that we have a legal basis of legitimate interest in obtaining data from users of the websites to adapt the content on the websites and marketing, see GDPR Article 6 (1) f. We have considered that we can use legitimate interest as a legal basis as the scope and sensitivity of personal data processed is limited, and the processing is not intrusive. We have also implemented measures to ensure that this personal data is processed sufficiently secure.
As data processor
We are a data processor for our customers in connection with providing services to customers meaning that we process personal data on behalf of our customers.
The customers are then the data controllers, and you must contact the customer responsible for processing to exercise your rights, such as to request information about the processing or access to your personal data.
Processing of personal data
We only process personal data within the purpose that was the purpose for the collection of the personal data. Above, you find why we process personal data for individual groups of persons.
Principles of processing
We comply with the principles for our processing of personal data to ensure that the processing is conducted securely and which minimises the processing of personal data, including the following principles:
- We collect and process only the personal data necessary for the purpose for which it was collected (data minimisation).
- When personal data is collected and processed, it is only for specific, explicitly stated and justified purposes, and we do not further process personal data that is incompatible with these purposes (purpose limitation).
- We do retain personal data longer than necessary (retention limitation).
- We only process personal data ourselves or use data processors we have entered into a data processing agreement. If we transfer personal data, as stated in this privacy notice or from information provided to the data subjects in each case, if we are not obliged to transfer personal data following legal regulations (such as to public authorities).
Legal basis for processing
The legal basis we have for processing personal data is included in the information on each processing. See above about «Personal data that is processed».
Transfer and delivery
We do not disclose personal data to anyone other than our suppliers who process personal data on our behalf (data processors) in accordance with data processor agreements entered into.
In some cases, we will disclose personal data to others, such as public authorities, and then disclosure will either take place as a result of us being subject to a legal obligation to disclose the personal data, that we do so in agreement with those to whom the personal data apply (the data subject), or we do so based on consent from the personal data to which it applies.
Location for processing
We process personal data primarily within the EEA area. If we exceptionally transfer personal data out of the EEA area, we do so only based on approved transfer bases in accordance with GDPR. Such transfer will only occur to data processors we have entered into a data processor agreement.
For all personal data being processed, we will implement technical and organisational measures to ensure confidentiality, integrity and availability, ensuring that only authorised persons have access to the data, that the information is not inadvertently changed or deleted and that the information is available when needed.
We delete personal data if the legal basis for the processing ceased or if the personal data is no longer necessary for our processing. For the personal data that we process as data controllers, storage and deletion are listed above under the «Personal data being processed» section.
If we process personal data (“data subject“) as data controllers, natural persons have rights related to the processing of personal data. You can exercise all the rights below if you contact us on the contact information at the end of this privacy notice.
As a data subject, you can request access to the personal data being processed and how we process personal data by contacting us. However, you will find an overview of our processing in this privacy notice.
If you require it, you will also receive a copy of the personal data we process about you. We may ask you to specify what personal data you want a copy of to make it easier for us to comply with the request. When providing a copy of your personal data, we may require that you identify yourself, in order for us to ensure that we do give the personal data to an unauthorised person. The personal data about you will be sent in digital form unless you request to have it transferred in another way.
You have the right to have personal data we process about you corrected if the personal data turns out to be incorrect.
If it turns out that we have personal data about you that we should have deleted, you can require it deleted unless the personal data is necessary for us. We will then delete the personal data as soon as the processing is no longer necessary.
If you experience a breach of your privacy, please contact us at the contact information below. You can also contact the Supervisory Authority, see below, but we ask you to contact us in addition so that we can implement the necessary measures as soon as possible.
We use the Norwegian Supervisory Authority (Datatilsynet) as the leading supervisory authority for cross-border processing under GDPR Article 56. You can therefore direct any complaint to the Norwegian Supervisory Authority.
If you believe that our processing of personal data violates these rules or the privacy legislation, including the Personal Data Act or the Privacy Regulation (GDPR), then you can also complain to the Supervisory Authority. You can find information on how to contact the Supervisory Authority on the website: www.datatilsynet.no
Transfer of personal data to countries outside the EEA
As known, a judgment was given in the European Court of Justice in the summer of 2020 regarding the transfer of personal data from EEA countries to the USA. The ruling means that the Privacy Shield is no longer valid as a basis for transfer to the United States under GDPR Chapter V.
Fram Web currently does not use any suppliers or subcontractors to suppliers in the USA where the transfer takes place, according to the Privacy Shield. All transfers take place in accordance with the EU’s standard terms for transfers to third countries (SCC) based on a decision by the EU Commission on 5 February 2010. SCC is approved as a legal basis for the transfer.
The data processors we use in the USA may be subject to the surveillance laws in the USA, and we have implemented measures to ensure that customers are notified of access from the authorities and to ensure that the supplier’s level of privacy is similar to that within the EEA.
We have assessed how the data subjects’ rights are safeguarded by assessing the security measures for our suppliers in third countries, i.e. countries outside the EEA, particularly the USA. We believe that the suppliers’ measures to protect the transferred personal data are sufficient to safeguard privacy.
Fram Web AS follows the development in these questions closely and will implement the measures and advice provided by the authorities, including the EU Data Protection Board (EDPB) and the Norwegian Supervisory Authority. Fram Web is also looking at, to the extent possible, moving from suppliers from third countries to countries within the EEA for further protection of the data subjects’ privacy.
Amendments and updates
We may need to change this privacy statement, such as when there are changes in our processing of personal data or there is a change in the regulations that necessitate changes. The updated privacy statement will be available on this webpage, and if we have registered your personal data and find that the changes are significant to you, we will notify you of the changes by e-mail or SMS.