This declaration on data protection explains how we collect and use personal data. The CEO of Bouvet is the data controller for our processing of personal data. Possible delegation of day-to-day responsibility is specified under each point. Such delegation covers only the duties and not the responsibility. This declaration contains information you are entitled to know when data are collected from our website (section 19 of the Norwegian Personal Data Act) and general information on the way we process personal data (section 18, paragraph 1 of the Personal Data Act). Processing of personal data on www.bouvet.no.

The web editor has day-to-day responsibility for our processing of personal data on bouvet.nounless otherwise specified below. Provision of personal data is voluntary for those visiting the website in connection with services, such as receiving newsletters. Unless otherwise specified, processing is based on the consent of the individual.

We are our own data processor, and are responsible for developing and maintaining the website. Enonic provides operational services for bouvet.no.

Data collected in connection with operation of the website are stored on dedicated servers operated by the provider. Only we and Enonic have access to the data collected. A specific data processing agreement between us and Enonic regulates the information which the provider can access and how it is to be processed.

Web statistics

We collect anonymised data about visitors on bouvet.no. The purpose of this is to compile statistics which we use to improve and further develop the information offered on the site. Examples of the details provided by these statistics include the number of visitors to different pages, how long their visit lasts, which websites users come from and what browser they use. This information is processed in anonymised and aggregated form. “Anonymised” means that we cannot trace the data we collect back to the individual user. We collect the whole IP address, but this is anonymised so that only the first three groups in the address are used to generate statistics. In other words, if the IP address is 195.159.103.82, only 195.159.103.xx is used. IP addresses are also processed at an aggregate level – in other words, all the data are combined into a group and not processed individually.

The Google Analytics analysis tool is used on our website. We do not provide any information from this tool to other parties.

Cookies

When you visit our bouvet.nowebsite, we register some information about your visit with the aid of a cookie. This is a small file which gets stored in the web browser on the device you are using.

This cookie is not harmful. It contains neither viruses nor programmes. What it does is to store information from our website, such as when you last visited us or data you may have entered in a registration form on bouvet.no.

Information collected by bouvet.nowill never, under any circumstances, be shared or sold. Nor can it identify you personally, but will only be used to analyse your user behaviour in order to improve our website.

We use Google Analytics to analyse user behaviour on our websites. This programme collects information about which pages on the site are most read, what visitors look for on bouvet.no, and so forth. The information cannot be traced back to you. We use these details to improve and further develop our website.

Google Tag Manager

This is an analysis programme which handles other tags and scripts, such as Google Analytics. The information stored cannot be traced back to you. It is utilised to make continuous adjustments and adaptations which allow us to provide our users with the best possible experience on bouvet.no.

Newsletters and communication with existing clients

We distribute newsletters about six-eight times a year via e-mail. For us to send you e-mails, you must register an e-mail address. We use an external data processor to distribute newsletters. Your e-mail address is stored in a separate database, is not shared with others and is erased when you cancel your subscription. This e-mail address is also erased if we receive a notification that it is no longer active. You can choose to specify whether you represent an enterprise or are a private individual. This is done so that we only send you relevant information.

In addition, we conform with section 15 of the Norwegian Marketing Act, and communicate via e-mail about services we have provided earlier.

Surveys

Day-to-day responsibility for our surveys rests with the vice president communications. We use Markedsføringshuset to implement surveys. This company is the responsible data controller for these polls. We will always provide information about the purpose of the survey and whether it is anonymous. We will not share the data with others or use them for purposes other than those specified.

Anonymous surveys

If the survey is anonymous, neither we nor Markedsføringshuset will collect any information which can be traced back to you.

Identifiable surveys

If the survey is not anonymous, we can identify who has responded to the survey. We can also use Markedsføringshuset to distribute the survey.

E-mailing and telephoning

We use e-mail and phone calls as part of our everyday work. Our employees also use e-mails in ordinary dialogue with internal and external contacts. Each employee is responsible for erasing e-mails which are no longer relevant, and for reviewing and erasing unnecessary content in their mailbox at least once a year. When personnel leave, their e-mail account is erased after six months. However, certain relevant e-mails will normally be transferred to colleagues.

Sensitive personal data must not be sent by e-mail. We would make you aware that normal e-mails are not encrypted. We therefore urge you not to send confidential, sensitive or other private data by e-mail.

Phone conversations (numbers of caller and called, as well as date and time of the call) are logged in our telephone exchange. This log is necessary for administering and operating the system, and also provides the basis for compiling statistics at an aggregated level. After a time, external numbers are anonymised by erasing the final four digits. The full log is erased after one year. In addition, employees have an overview of the most recent numbers called on their phones. No other systematic registration of phone conversations is made where the caller can be identified.

Lists of course and seminar participants

When you register for one of our courses, the information is stored for use by the course administration and for securing payment of the course fee.

Our responsibility: we are the data controller for processing personal data in order to book meeting venues, and for registering and administering registration of participants on our courses.

We use a registration solution developed in-house. This solution allows you to sign up for courses by providing your name, contact information and employer. We also ask you to provide information on possible allergies and requirements for adaptation/customisation. Personal data for administrating registration are erased six months after completion of the course. Information on attendance at the course and on taking the exam is retained in order to be able to reproduce course confirmations and certificates at the request of the participants.

We are the data controller for processing personal data in connection with financial aspects and payments from and to participants and meeting venues, accounting and bookkeeping, including storage pursuant to the bookkeeping regulations.

List of visitors

Visitors authorised to move about unaccompanied in our premises are entered on a list, which is retained for a maximum of two years after the visit.

Data on employees

We process personal data on our employees in order to administer pay and personnel responsibilities. The legal basis rests on section 8, paragraph 1, section 8 a), b) or f) and section 9 a), b) and f) of the Personal Data Act. Our regional vice presidents and administration have the day-to-day responsibility for this. Information required for disbursing pay is registered, such as basic data, level of pay, time registration, tax rate, residence for tax purposes and union affiliation. Other data about employees relate to their job instructions and customisation of their work.

Data are furthermore registered in connection with key administration of entrances and exits, and about access management in the IT system. These data are collected from the employees themselves. They are only disclosed in connection with disbursing pay and other legally required disclosures. Erasure routines for personal data comply with the Norwegian Accounting Act. All job applications are entered in our recruitment system and stored in our electronic archive for about a year before being destroyed. All other documents, including lists of applicants and recommendations, are retained pursuant to section 16 e) of the Personal Data Act (internal preparatory consideration is not disclosed to others). Responsibility for these data rests with the person responsible for recruitment.

All former and current employees have a personnel folder in our human resources system, where such information as their job application is archived/preserved. Personnel folders are retained (in other words, the job application is not erased or destroyed). Personnel folders are otherwise cleared out when the employment relationship terminates.

Logging in our technical systems

We have ordinary security logs for our technical systems, and responsibility for these has been delegated to the security manager. The logs register employee use of the technical system. No further information is provided here in order to protect the security of our systems.

The legal basis for such logs is the requirement for logging in sections 2-8 and 2-14 of the personal data regulations as well as section 8 f) of the Personal Data Act in order to meet the company’s need for security of information assets other than personal data.

Rights

Pursuant to section 18, paragraph 1 of the Personal Data Act, everyone who requests it has the right to basic information on the processing of personal data in an enterprises. We have provided that information in this by, and will refer to it in the event of possible inquiries. Those registered in one of our systems have the right to access their own information. They also have the right to request the correcting, erasing or supplementing of inaccurate or incomplete data, or of information we do not have the right to process. Requests from the person registered must be responded to free of charge and within 30 days at the latest.

Questions about personal data in Bouvet can be addressed to [email protected].