Privacy statement – Hallgruppen

1 INTRODUCTION

This privacy statement describes the processing of personal data by Hallgruppen. We describe which personal data is processed for which purposes, the legal basis for the processing, and other relevant matters related to this.
Hallgruppen collects and processes personal data for the purposes based on our enterprise, including product sales and services to customers, both in the private and corporate market. We also collect personal data when you visit our websites. For employees and job applicants, a separate privacy statement applies.
We process personal data in accordance with any privacy regulations applicable at any given time, including the EU General Data Protection Regulation (“GDPR”).

2 PROSESS CONTROLL

We are the controller of all personal data processed in accordance with this privacy policy, and for the purposes described below. The board of directors of Hallgruppen is overall responsible for this processing, and the daily follow-up is delegated to the CEO.

3 PURPOSE OF OUR PROCESSING OF PERSONAL DATA

3.1 Trade, customer contact, communication, invoicing, etc.
We collect and register personal data about our customers’ contact persons, suppliers, and other connections we have contact with, in order to keep in contact with our customers, inform about products, orders, process purchases, organize deliveries, submit invoices, etc.
In such cases, we process names, email addresses and telephone numbers of contact persons, and possibly also correspondence with contact person, processed orders, etc.
If you as a private person are a customer, the basis for our processing of your personal data is our agreement with you, cf. GDPR article 6 no. 1 letter b). In which case your personal data are processed and retained for as long as you are our customer, and for three years after the customer relationship has ended.
However, if you are employed by one of our corporate customers, the legal basis for our processing of your personal data follows from our legitimate interest in processing information about our customers’ contact persons for purposes described above, cf. GDPR article 6 no. 1 letter f), where our interests outweigh the data subject’s privacy. The personal data are retained for as long as you are employed by one of our customers. The personal data will be erased no later than one year after we have been notified that you are no longer employed by of our customers.
If necessary, personal data will in both cases be processed in accordance with statutory rules on retention, e.g., national rules on retention of accounting data, including invoices.
The personal data are collected from you or your employer.

3.2 Contact form, questions from the web
Our web pages contain contact forms where you can fill in your name, email, mobile number, area of interest, company name and a comment, if desired. We will process these personal data for the purpose of answering your questions. The processing is based on your implicit consent that we may process your contact information for the said purpose, based on you voluntarily submitting this to Hallgruppen via our website, cf. GDPR article 6 no. 1 letter a).
We process the submitted personal data for as long as it is necessary, in order to answer your question. We will delete the personal data no later than one year after the last contact between you and Hallgruppen – unless you become a customer. In such case we process personal data about you for this purpose, in accordance with the description above.

3.3 Newsletter marketing
Hallgruppen sends out weekly newsletters to people who have consented to receive these newsletters. The legal basis for our processing of your personal data for this purpose, follows from the consent you have given, cf. GDPR article 6 no. 1 letter a). You can withdraw this consent at any time, and such withdrawal will have no consequences for you, other than that you will no longer receive newsletters from us.
You can withdraw your consent by sending us an email. You will find our contact information below. You can also withdraw your consent by clicking on your own “unsubscribe” link in the newsletter you have received.

3.4 Logging of visits to web pages
Our web systems log your activity when you visit our web pages. The logs are analysed in the event of hacking or other types of attacks or criminal activity, directed towards us or our websites. The information stored are your IP address and links you have clicked on, your browser, and other information about your browser and personal computer. The basis for the processing of these personal data is GDPR article 6, No. 1, letter f), where after an assessment we have found it necessary to log such traffic to be able to monitor and secure our system. The system and security logs are stored for six months prior to being erased.

3.5 Processing of cookies
We process cookies when you visit our websites. Please see our cookie statement available on our web pages with information about which cookies are used, the purpose of the processing, and the storage and erasing time.

3.6 Open application sent by email
You may send us an open job application by e-mail post@hallgruppen.no. The legal basis for processing the application, is your implicit consent to store your job application and to assess you when we have vacancies. We retain and process your personal data for as long as you consent to such processing. You can withdraw your consent to our processing of your job application at any time. In which case we will delete the application. We will no longer be able to process the personal data to assess you for future vacancies.
We will annually send you an e-mail and request if you still want us to continue storing your open job application, or if it should be deleted from our systems.

4 WHO WILL ACCESS TO YOUR PERSONAL DATA?
Your personal data will only be processed by employees or hired personnel who have a legitimate requirement to access the personal data. Employees and hired personnel have all signed a declaration of confidentiality which imposes on them a duty of confidentiality regarding personal data they become aware of, or otherwise processes in connection with their work.
The declaration of confidentiality applies also after the employment or hiring relationship has ended.

5 STORAGE AND ERASURE OF PERSONAL DATA
The personal data are stored and processed for as long as it is necessary for the purpose for which the personal data were collected. We have implemented routines for erasing these personal data for each processing purpose, according to current privacy regulations, and as described above.

6 TRANSFER AND DISTRIBUTION OF PERSONAL DATA
All personal data we process are stored on IT systems located within the EU/EEA area.
The personal data are not transferred to third countries.
Your personal data will not be transferred to third parties unless you request us to do so, or we are required by law or court order to perform such transfer.

7 USE OF PROCESSORS
Hallgruppen procures services from acknowledged IT suppliers, including assistance in operating and maintaining the systems where your personal data are stored and processed. We have entered into data processor agreements with all our suppliers, and we ensure that all such data processor agreements meet the requirements for data security and privacy according to the current privacy regulations.
As of today, the following data processors are used:
• Visma
• SuperOffice CRM
• Ninjaforms
• FreeSpee

All processing of personal data takes place within the EU/EEA area.

8 INFORMATION SECURITY
Our processing of your personal data is carried out in a secure manner and in accordance with requirements according to the privacy regulation in force at any given time. We have implemented necessary technical and organizational security to ensure appropriate information security for the personal data we process.
Regular risk assessments are carried out for this processing, and we have established routines for dealing with any personal data breach, including routines for notifying the Data Protection Authority and possibly also registered persons who are affected by the breach.

9 RIGHT TO ACCESS, RECTIFICATION AND ERASURE OF PERSONAL DATA
In accordance with current data protection regulations, you have several rights related to our processing of your personal data.
Your rights under the data protection regulations are:
• With the exceptions that may follow from national legislation, you have the right, at any time, to request access to personal data we process about you. You may also demand rectification of any inaccurate or incomplete personal data concerning you.
• Under certain circumstances, you have the right to demand that we erase your personal data. Further regarding erasure, see below.
• In some cases, you have the right to demand that we limit the processing of your personal data and/or the right to protest against the processing of your personal data.
• In some cases, you have the right to be distributed (receive) personal data you have shared with us, in a structured, regular and machine-readable format, and you can request for data to be transferred to another data controller, e.g. another similar organization (so-called right to data portability).
Inquiries regarding your rights can be directed to post@hallgruppen.no. Other contact information can be found below. We may ask you to confirm your identity before we possibly assess and process your inquiry if we find it necessary to ensure data security and privacy.
We will respond to your inquiry as soon as possible, and no later than one month.

10 DETAILED ABOUT THE RIGHT TO ERASURE
We will erase all personal data we process about you without undue delay, after we have received your inquiry for such deletion, and in accordance with the deadlines that follow from the general data protection regulation. However, the information will not be erased if we have other legal bases for processing and the need for continued storing your personal data. If there is such a basis for processing, we will provide information about this when you contact us, including information about the basis for processing and when the information may be erased.

11 COMPLAINT ABOUT PERSONAL DATA PROCESSING
You may complain to the Data Protection Authority if you believe that our processing of your personal data is not in accordance with this privacy statement or applicable with privacy legislation.
Data Protection Authority’s updated information can be found here:
https://www.datatilsynet.no/om-datatilsynet/kontakt-oss/

12 CHANGES TO THE PRIVACY STATEMENT
We reserve the right to update and amend this privacy statement when needed and required by the current privacy legislation. You will always find the current version of our privacy statement on our web pages.

13 OUR CONTACT INFORMATION
Hallgruppen AS
Karoline Eggens vei 3
2016 Frogner
Org. nr. 915 846 432
Phone: 400 05 077
***

This privacy statement was last updated on June 8, 2022.