Data protection declaration
Rana Utvikling AS (RU) acts as the business development agency for Rana local authority and as a regional resource for developing commercial activities. Its most important job is to facilitate the development of new and existing enterprises and to help improve operating parameters for business. In order to do its job and fulfil its purpose, the company depends on processing various kinds of personal data. This data protection declaration describes how RU collects and uses specific personal data.
The declaration provides information you are entitled to receive when data are collected from the RU website (section 19 of the Norwegian Personal Data Act and article 13 of the EU’s general data protection regulation (GDPR)) and general details about how the company processes personal data (section 18, paragraph 1 of the Norwegian Personal Data Act and article 14 of the GDPR).
The CEO of RU is the data controller responsible for the company’s handling of personal data from employees, clients, suppliers, partners, website users and users of its digital questionnaire surveys and testing tools.
CEO, RU: Ole Kolstad, firstname.lastname@example.org.
Personal data collected/processed
RU primarily collects information directly from clients, partners and employees. Occasions for such collection include applying for support from its business and entrepreneur fund, registration for its entrepreneur courses and seminars, preparation of business assessments for the Norwegian Labour and Welfare Administration (NAV), or entering into a client or collaborative relationship. Data stored primarily include name, address, phone numbers, e-mail address and invoicing details. National identity numbers are also stored for employees and directors, and when preparing business assessments for the NAV.
Purpose of the information processed
All processing of personal data must have a specific, explicit purpose which is legitimate in relation to the business. See article 5-1 b of the GDPR. Purposes for processing information at RU are:
- processing of applications for grants from the RU business and entrepreneur fund
- establishing and following up client/collaboration relations
- preparing business assessments for the NAV
- knowledge management (such as reusing documents in later cases)
- employee administration.
Document management and storage
RU utilises a document management and storage system for holding information and personal data on employees, clients and partners. The company has special agreements with each supplier. Its data processors store RU’s data, and this collaboration is regulated by data processor agreements. Data processors do not disclose data to third parties without legal authorisation.
E-mail and phones
RU utilises e-mail and phones as part of its day-to-day work in order to serve client and partner interests. Relevant data provided through phone conversations and e-mail exchanges are registered. Each project manager is responsible for archiving relevant e-mails in the document management system associated with the specific project, and messages are otherwise deleted when they cease to be current. When employees leave, their e-mail accounts are deleted. However, some relevant e-mails will normally be transferred to colleagues in RU.
Disclosure of personal data
RU does not share data about you with third parties, with the exception of client information for invoicing and data about employees related to pay, pensions and insurance. This is regulated through specific agreements with the subcontractors. Business assessments are delivered directly to the person concerned, by either post or e-mail as specified by the data owner. These data are not disclosed to third parties.
How long personal data are held.
Pursuant to section 13 of the Norwegian Accounting Act, accounting data must be retained for five years or for three years and six months from the end of the accounting year, depending on the kind of data concerned.
RU retains personal data collected for as long as the company considers this to be necessary to fulfil the purpose of collecting the data. This means that your personal data can be retained for a reasonable period after your last interaction with RU. When personal data RU has collected are no longer required, they are deleted in a secure manner.
Everyone has the right to receive basis information on request about the processing of personal data in an enterprise, pursuant to section 18, paragraph 1 of the Norwegian Personal Data Act and articles 13 and 14 of the GDPR. Those who are registered in RU’s systems have the following rights.
- To access their own data.
- To request that inaccurate or incomplete data are corrected, pursuant to section 16 of the GDPR.
- To request that the data be erased, pursuant to section 14 of the Norwegian Personal Data Act. This right applies only if the enterprise no longer needs the information for its current processing purpose.
You can contact RU if you require more information about how the company processes personal data.
Right to complain
If you are dissatisfied with the way your personal data are being processed, you can contact email@example.com in the first instance. If you still believe that the company has failed to respect your rights pursuant to the Norwegian Personal Data Act and the GDPR, you have the right to complain to the relevant regulator. This is done by submitting your complaint to the Norwegian Data Protection Authority. Contact information for the authority can be found at www.datatilsynet.no.
Last updated: 27 June 2018