Privacy Statement

Last updated: 10.12.2018

This privacy policy applies to Fossum IT ("we" or "us"). We are responsible for the processing of personal data described in this privacy policy. You will find our contact information below.

1. About whom we process personal data
This privacy policy applies to our processing of personal data about the following people: Customers and Visitors to our website

2. Purpose, types of personal data and legal basis
Below we have provided an overview of the purposes for which we process personal data, the types of personal data we process and the legal basis for the processing.

Establishing customer relationships
When establishing a customer relationship, contact information is registered, including, but not limited to, organization number, postal address and e-mail address. The registration of contact information is necessary for private customers in order to be able to enter into an agreement with the person concerned, cf. GDPR article 6 no. 1 letter b. For business customers, the registration of contact information is based on a balancing of interests, cf. GDPR article 6 no. 1 letter f.

Knowledge management
In certain cases, it may be appropriate to store concrete work in anonymized form because it may have value as a basis for experience in other cases. The basis for processing is our interest in making use of prepared knowledge in further advice, cf. GDPR article 6 no. 1 letter f (balancing of interests).

Customer administration
Customer information is stored in separate areas and in our accounting system. For business customers, what we do in connection with client administration is authorized in GDPR article 6 no. 1 letter f (balancing of interests), while for private customers it is considered a necessary part of fulfilling the agreement with the person concerned, cf. GDPR article 6 no. 1 letter b.

Storage and retention of information
We store information in accordance with requirements in Norwegian law. The legal basis for processing personal data is GDPR article 6 no. 1 letter f (balancing of interests) and GDPR article 9 no. 2 letter f (determining, asserting or defending legal claims), cf. Personal Data Act (new 2018) § 11.

Contact information received from business customers is used to mark invoices that are sent to the business if the customer requests this. For private customers, the person's private postal address is used for sending invoices, or possibly the given e-mail address if the client prefers it. The basis for processing is GDPR article 6 no. 1 letter f (balancing of interests) for business customers and GDPR article 6 no. 1 letter b (necessary to fulfill the agreement with the data subject) for private customers.

IT operation and security
Personal data stored in our IT systems may be accessible to us or to our suppliers in connection with system updates, implementation or follow-up of security measures, error correction or other maintenance. The processing basis is GDPR article 6 no. 1 f (balancing of interests) and our legal obligation to have satisfactory information security, cf. GDPR articles 32 and 6 no. 1 letter c.

3. Who we share personal data with
Our suppliers of IT services will be able to have access to personal data if personal data is stored and the supplier or otherwise is available to suppliers in accordance with the contract with us. The suppliers act in accordance with the data processing agreement and under our instructions. The supplier can only use the personal data for the purposes we have determined and which are described in this privacy policy. We do not disclose personal data in other cases or in other ways than those described in this privacy pol icy unless the client explicitly encourages or consents to this, or the disclosure is required by law.

4. Storage of personal data
We store your personal data with us for as long as is necessary for the purpose for which the personal data was collected. The Accounting Act otherwise requires us to store specific accounting documents for a specified period of time. When a specific purpose dictates storage for a given period of time, we ensure that the personal data is exclusively used for the purpose in question during this period.

5. Your rights
You have rights in personal data relating to you. What rights you have depends on the circumstances. Withdraw consent If you have given consent to receive newsletters from us, you can withdraw this consent at any time. We have made it possible for you to easily opt out of this type of inquiry by including a link to the deregistration form in each inquiry. If you have consented to other processing of personal data, you can also withdraw your consent for this processing at any time by contacting us about this. Request access You have the right to access the personal data we have registered about you, as long as the duty of confidentiality does not prevent this. In order to ensure that personal data is handed over to the right person, we may require that requests for access be made in writing or that identity is verified in another way. Request correction or deletion You can ask us to correct incorrect information we have about you or ask us to delete personal data. We will as far as possible accommodate a request to delete personal data, but we cannot do this if there are compelling reasons not to delete, for example, that we have to store the information for documentation purposes. Data portability In some cases, you will be able to have access to personal data you have provided to us in order to have it transferred in a machine-readable format to another law firm. If it is technically possible, in some cases it will be possible to have these transferred directly to the other company. Complaint to the supervisory authority If you disagree with the way we process your personal data, you can submit a complaint to the Norwegian Data Protection Authority.

6. Security
We have established procedures to handle personal data in a secure manner. The measures are both of a technical and organizational nature. We regularly assess the security of all central systems that can be used for handling personal data, and agreements have been entered into that require suppliers of such systems to ensure satisfactory information security. Access to personal data (and client/case information) is limited to personnel who need access to perform their tasks. We have adopted internal IT guidelines, and we regularly train employees with regard to security and the use of IT systems.

7. Changes to the privacy policy
We will be able to make minor changes to this privacy policy. You will always find the latest version on our website. In the event of significant changes, we will notify you of this.

8. Contact us
If you have questions or comments about our privacy policy or you want to exercise your rights, you can contact us.