Privacy Statement

Brandsdal Group collets and processes personal information. It is our utmost concern to collect and process your personal data in a safe and secure manner. Below you will find information about how our organization uses the personal data we collect from you when you use one of our websites.
The person responsible for processing the personal data at Brandsdal Group at Espen Wetrhus, who can be contacted by e-mail privacy@brandsdalgroup.com.
Your personal data is also processed when you interact with one of our subsidiaries (Blivakker, Netthandelen and Cocopanda). For each of our subsidiaries, you can contact the adequate customer support for any questions you may have about the processing of your personal data. This can be done through “My page”. In case of any questions about processing personal data in connection to those subsidiaries, see separate privacy statements available on subsidiaries’ websites.

Processing of personal data
We collect and use personal information for different purposes depending on who you are and how you interact with our services. This Privacy Notice gives you an overview of how Brandsdal Group processes your data, the purpose, and the legal basis of the processing as well as how long your personal data is being processed, etc.
Term “personal data” applies to all the information that can be linked to a natural person (the latter is further referred to as “the registered”).
means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Existing and potential customers, suppliers, and partners, etc.
We process personal information about existing and potential customers (in business relationships), suppliers and other partners for sales and marketing activities, to manage our relationship with suppliers and others, prepare, implement, and document services as well as evaluate the use of services. In these cases, we will process names, contact information, company names and information related to the contact with the company in which the person in question works.
Private data processing is necessary to safeguard the legitimate interests of our company or of a third party, and the interests, fundamental rights and freedoms of the data subject do not override the first-mentioned interests. Article 6(1)(f) GDPR serves as the legal basis for the processing.
We also store and disclose information where we have a legal obligation to do so, for example in accordance with accounting and tax legislation.
We will keep your data for as long as they are needed for the purposes for which your data was collected and processed or required by laws and regulations.
In many cases, it will be necessary for us to obtain personal information to enter into agreements with customers and suppliers, among other things to document that an agreement has been entered. If we do not receive the information we need, we will not be able to enter into agreements.
It is voluntary for the you to provide us with personal information. If we collect personal information from others, it will mainly apply to contact information (including name, address, telephone number and e-mail address), position, function, and employer, as well as any competence and references where relevant. The source for such information will be the contact person’s employer, for example from the employer’s website. In some cases, we collect references from others to assess the suitability of suppliers and partners.
We store the information until the relationship with the customer, supplier, or partner ceases or until the contact person ceases to be the contact person, with the exceptions mentioned above.

Recruitment
Personal information means all information that relates to an identified individual or to an identifiable individual. For example, your name, address, email address, educational and employment background, CV, and job qualifications. Personal information is also referred to as information about you.
We use the job search service Cvideo to manage submitted applications, and this is our data processor. If you register with the job search service with your own profile, the service will be responsible for processing your personal data. For information about the processing of personal data in the service, check Cvideos privacy statement. The processing of personal data by the personal data is based on consent that you have given in the jobseeker service (GDPR article 6 (1) a), whether such is obtained or the grounds that follow below.
The basis for the processing of personal data when recruiting is that the processing is necessary to implement measures before a work agreement with the jobseeker is entered (GDPR article 6 (1) b). If inquiries are made by us in addition to this, such as contacting persons who are not given as a reference, examining when searching for history, etc., then personal data is processed based on our necessary legitimate interest to ensure that the correct candidate for the position (GDPR article 6 (1) f). For the latter, we have considered that our legitimate interest in recruiting new employees outweighs individual privacy. We encourage you not to enter special categories of personal information, such as health, religion, political opinion, union membership, etc. in your application.
Information in the service is deleted as soon as the recruitment is completed if you have not agreed to a longer storage of your personal data.

Storage and deletion of personal data
We store personal information for as long as is necessary for the purpose for which the personal information was collected and delete the information in accordance with requirements in the regulations. How long we process the individual types of information we process is included in the above where the individual ways of processing are discussed.
Instead of deleting the personal data, in some cases it may be relevant to anonymize the personal data. Anonymization means that all identifying or potentially identifying characteristics are removed from data sets that are being processed
This means, for example, that personal data that we process based on your consent will be deleted if you withdraw your consent. Personal information we process to fulfill an agreement with you is deleted when the agreement has been fulfilled and all obligations arising from the contractual relationship have been fulfilled, such as legal obligations related to accounting, follow-up of the customer relationship related to complaints, etc. Personal data we process because of a legal obligation will be deleted as soon as we have no obligation to store the information.

Transfer or disclosure of personal information to others
We do not pass on personal information to others in cases other than those mentioned in this declaration and unless there is a legal basis for such disclosure.
Examples of such a basis will typically be an agreement with or consent from the data subject or a legal basis that requires us to release the information. The latter applies to public activities such as tax collection (if necessary), accountant / auditor, as well as others that we need in our business as a bank connection.
We use data processors to collect, store or otherwise process personal data on our behalf. In such cases, we have entered into agreements to safeguard your rights and security for your personal information at all stages of the processing. See more below.
If it is required by law or there is a suspicion that a crime has been committed in connection with the use of our services, personal information we have stored about you may be disclosed to public authorities.
If personal data may be subject to transfer to another organization in connection with a merger, financing, reorganization or dissolution transaction of all or part of us, we will only do so if the parties involved have entered into an agreement where the collection, use and sharing of personal data is limited to the purposes of the transaction, including a provision as to whether or not the transaction will proceed, and the personal data shall only be used by the parties involved to complete and complete the transaction. If another company buys us or our business or assets, that company will have access to the personal information collected by us and will assume the rights and obligations regarding your personal information as described in this privacy statement.
Transfer of personal data to recipients in countries outside the EEA
It is an objective for us that all processing of personal data shall be carried out within the EEA, but it may be that we use suppliers or process personal data outside the EEA. In such cases, transfer and processing outside the EEA will take place in countries approved by the EU Commission or in accordance with a valid legal basis for the transfer of personal data according to GDPR Chapter V. If transfer to countries approved by the EU Commission does not take place, guarantees set out in Article 46 (2) of the GDPR. You can be informed of the basis used for the transfer if you contact us.

Safety of processing
We give high priority to the security of personal data in our business and will implement all required technical and organizational measures to secure your personal information. All processing will, if possible, be encrypted, and not available to anyone other than those who need personal information for their tasks.
We handle information so that it is correct, accessible, and managed accordingly to the degree of sensitivity of the information. We also use a variety of security technologies and information security procedures to protect your personal information from unauthorized access, use or disclosure. Where necessary, risk assessments are carried out.
We have entered into data processor agreements with all our suppliers who process personal data, where they assume the same degree of security as we have in our processing of personal data.
We restrict access to your personal information to the staff or third parties who process the information on our behalf. These parties are subject to strict confidentiality requirements, and we can impose sanctions or terminate the agreement if these requirements are not complied with.
Routines have been established for handling breaches of information security and routines (privacy breaches), and we will, if there are breaches that pose a risk to the privacy of the personal data concerned, send a non-conformance report to the Data Inspectorate as soon as possible and no later than 72 hours after the breach. discovered. If the breach entails a high probability of the privacy of those affected by the breach, we will also notify them.

Your rights when we process personal information about you
Below are your rights as the registered. To use your rights, you must contact us, see contact information above.
We will respond to your inquiry to us as soon as possible, and no later than 30 days. If it takes longer than 30 days, you will be notified. We will ask you to confirm your identity or provide additional information before we allow you to exercise your rights against us. We do this to make sure that we only give access to your personal information to you – and not someone who pretends to be you.

Control over your personal data
You have the right to receive information about and access to the personal data we process about you. Through this statement, we inform you about our processing of personal data. You can also contact us if you want more information.

Change and delete
You can also ask us to correct or delete information we have about you by contacting us. We will as far as possibly accommodate a request to delete personal information, but we cannot do this if we still need the information.

The right to restrict or object against processing
You have the right to have processing restricted in certain cases, see GDPR Article 33, which:
a) You dispute the accuracy of the personal data, for a period that enables us to check the accuracy of the personal data.
b) The processing is illegal, and you oppose the deletion of the personal data and instead request that the use of the personal data be restricted.
c) We no longer need the personal information for the purpose of the processing, but you need it to determine, assert or defend legal claims.
d) You have objected to processing under Article 21 (1) of the GDPR pending the verification of whether our legitimate interests take precedence over your privacy.

The right to data portability
For information that you have provided to us and is necessary to carry out an agreement with us, and which is processed automatically (i.e., not manually by us), you can request that the personal information about you be handed over or transferred to another supplier in a structured, commonly used, and machine-readable format (data portability).

Automated processing, including profiling
There will be no automated processing, including profiling, based on your personal data that has legal effects or that significantly affects those to whom personal data applies. See GDPR Article 22 Nos 1 and 4.

Use of data processors
We do not sell your personal information to third parties, nor do we exchange or pass on such information to third parties. A third party will only have access to the information if this is necessary to perform certain services for us, so that we can deliver our services to you. Relevant information needed to complete the transaction is shared with the payment partner and carrier.
Data processors are other companies that we use to process personal data. Strict agreements are entered into to ensure information security in such cases.

Complaints
Feel free to contact us if you have questions or concerns about how we process your personal data! If you believe that our processing of personal data violates these rules or the privacy legislation, including the Personal Data Act or the Privacy Regulation (GDPR), then you can also complain to the Data Inspectorate (Datatilsynet). You can find information on how to contact the Data Inspectorate on the Data Inspectorate’s website: www.datatilsynet.no.
We use the Norwegian Data Protection Authority in Norway as the leading supervisory authority for cross-border processing in accordance with Article 56 of the GDPR.

Changes
We may have to change the information about the processing of personal data from time to time, e.g., because of changes in the websites or our services, or if there are changes in the regulations on the processing of personal data. If this information changes, we will notify you if we have your contact information. Otherwise, updated information will always be easily available on our website.