Privacy policy – Hallgruppen

1 INTRODUCTION

This privacy statement describes the processing of personal data by Hallgruppen. We describe which personal data is processed for which purposes, the legal basis for the processing, and other relevant matters related to this.
Hallgruppen collects and processes personal data for the purposes based on our enterprise, including product sales and services to customers, both in the private and corporate market. We also collect personal data when you visit our websites. For employees and job applicants, a separate privacy statement applies.
We process personal data in accordance with any privacy regulations applicable at any given time, including the EU General Data Protection Regulation (GDPR).

2 DATA CONTROLLER

We are the controller of all personal data processed in accordance with this privacy policy, and for the purposes described below. The board of directors of Hallgruppen is overall responsible for this processing, and the daily follow-up is delegated to the CEO.

3 PURPOSE OF OUR PROCESSING OF PERSONAL DATA

3.1 Trade, customer contact, communication, invoicing, etc.

We collect and register personal data about our customers’ contact persons, suppliers, and other connections we have contact with, in order to keep in contact with our customers, inform about products, orders, process purchases, organize deliveries, submit invoices, etc.
In such cases, we process names, email addresses and telephone numbers of contact persons, and possibly also correspondence with contact person, processed orders, etc.

If you as a private person are a customer, the basis for our processing of your personal data is our agreement with you, cf. GDPR article 6 no. 1 letter b). In which case your personal data are processed and retained for as long as you are our customer, and for three years after the customer relationship has ended.
However, if you are employed by one of our corporate customers, the legal basis for our processing of your personal data follows from our legitimate interest in processing information about our customers’ contact persons for purposes described above, cf. GDPR article 6 no. 1 letter f), where our interests outweigh the data subject’s privacy. The personal data are retained for as long as you are employed by one of our customers. The personal data will be erased no later than one year after we have been notified that you are no longer employed by of our customers.
If necessary, personal data will in both cases be processed in accordance with statutory rules on retention, e.g., national rules on retention of accounting data, including invoices.

The personal data are collected from you or your employer.

3.2 Contact form, questions from the web

Our web pages contain contact forms where you can fill in your name, email, mobile number, area of interest, company name and a comment, if desired. We will process these personal data for the purpose of answering your questions. The processing is based on your implicit consent that we may process your contact information for the said purpose, based on you voluntarily submitting this to Hallgruppen via our website, cf. GDPR article 6 no. 1 letter a).

We process the submitted personal data for as long as it is necessary, in order to answer your question. We will delete the personal data no later than one year after the last contact between you and Hallgruppen – unless you become a customer. In such case we process personal data about you for this purpose, in accordance with the description above.

3.3 Newsletter marketing

Hallgruppen sends out regular newsletters to people who have consented to receive these newsletters.

The legal basis for our processing of your personal data for this purpose, follows from the consent you have given, cf. GDPR article 6 no. 1 letter a). You can withdraw this consent at any time, and such withdrawal will have no consequences for you, other than that you will no longer receive newsletters from us.

You can withdraw your consent by sending us an email. You will find our contact information below. You can also withdraw your consent by clicking on your own “unsubscribe” link in the newsletter you have received.

3.4 Logging of visits to web pages

Our web systems log your activity when you visit our web pages. The logs are analysed in the event of hacking or other types of attacks or criminal activity, directed towards us or our websites. The information stored are your IP address and links you have clicked on, your browser, and other information about your browser and personal computer. The basis for the processing of these personal data is GDPR article 6, No. 1, letter f), where after an assessment we have found it necessary to log such traffic to be able to monitor and secure our system. The system and security logs are stored for six months prior to being erased.

3.5 Use of cookies and tracking technologies

We use cookies and similar tracking technologies, including tracking pixels, web beacons and server-side tracking, when you visit our websites. These technologies are used for purposes including analysing website usage, measuring marketing effectiveness, and improving the user experience.

We distinguish between strictly necessary tracking technologies (required for the website to function) and optional tracking technologies (which require your consent). For optional technologies, we ask for your consent via our consent banner on your first visit, and you can change your preferences or withdraw consent at any time.

Please see our separate cookie statement available on our websites for a complete overview of which cookies and tracking technologies we use, the purpose of the processing, recipients of the data, and storage and erasure periods.

See also section 3.6 below for more information about our use of tracking pixels for marketing and analytics.

3.6 Marketing pixels and advertising

When you have consented to marketing cookies via our consent banner, we use the following tracking technologies:

Meta Pixel and Conversions API (CAPI): We use Meta Pixel and Conversions API to measure the effectiveness of our marketing on Facebook and Instagram and to create custom audiences. When you visit our websites with marketing consent, we share with Meta: your IP address, browser and device information, pages visited, and actions you take (such as form submissions or page views). For improved measurement, we also use Advanced Matching, which means we share hashed (one-way encrypted) versions of your name, email address, and phone number if you provide them via our forms. The legal basis for this processing is consent under GDPR Article 6(1)(a). Meta Platforms Ireland Ltd. acts as a joint controller for parts of this processing. Data is transferred to Meta Platforms Inc. in the United States.

Google Analytics 4 (GA4): We use GA4 to analyse the usage of our websites. Data shared with Google includes an anonymised IP address, browser and device information, pages visited, and time spent on pages. The legal basis is consent under GDPR Article 6(1)(a). Data is primarily processed in the EU but may be transferred to Google LLC in the United States.

Google Ads conversion tracking: We measure conversions from our advertising campaigns. Similar data to the above is shared with Google. The legal basis is consent.

Server-side tracking via Stape: We use a server-side tracking solution provided by Stape to improve data quality and privacy by routing data through our own server before forwarding it to Meta and Google.

Transfers to third countries (the United States) take place on the basis of the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework, under which Meta and Google are certified.

You can withdraw your consent at any time via the consent banner at the bottom of the page or by visiting our cookie statement.

3.7 Open application sent by email

You may send us an open job application by e-mail [email protected]. The legal basis for processing the application, is your implicit consent to store your job application and to assess you when we have vacancies. We retain and process your personal data for as long as you consent to such processing. You can withdraw your consent to our processing of your job application at any time. In which case we will delete the application. We will no longer be able to process the personal data to assess you for future vacancies.

Your personal data will be deleted after 6 months at the latest.

4 WHO WILL ACCESS TO YOUR PERSONAL DATA?

Your personal data will only be processed by employees or hired personnel who have a legitimate requirement to access the personal data. Employees and hired personnel have all signed a declaration of confidentiality which imposes on them a duty of confidentiality regarding personal data they become aware of, or otherwise processes in connection with their work.
The declaration of confidentiality applies also after the employment or hiring relationship has ended.

5 STORAGE AND ERASURE OF PERSONAL DATA

The personal data are stored and processed for as long as it is necessary for the purpose for which the personal data were collected. We have implemented routines for erasing these personal data for each processing purpose, according to current privacy regulations, and as described above.

6 TRANSFER AND DISTRIBUTION OF PERSONAL DATA

The majority of personal data we process is stored on IT systems located within the EU/EEA area.

However, certain processing activities involve the transfer of personal data to third countries (outside the EU/EEA), specifically:

  • Marketing and analytics tracking via Meta and Google, where data is processed in the United States
  • Microsoft cloud services for email, file storage, and collaboration

These transfers are protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The EU-US Data Privacy Framework, where the recipient is certified under the framework
  • Additional technical and organisational measures, including encryption and access controls

Your personal data will not be disclosed to other third parties unless there is a legal basis for doing so. Examples of such a basis typically include an agreement with you or a statutory obligation requiring us to disclose information.

7 USE OF PROCESSORS

Hallgruppen procures services from acknowledged suppliers who process personal data on our behalf. We have entered into data processor agreements with all our suppliers. These agreements meet the requirements for data security and privacy under applicable data protection legislation.

As of today, the following data processors are used:

Marketing and advertising:

  • Meta Platforms Ireland Ltd. (Facebook, Instagram – Meta Pixel and Conversions API)
  • Google Ireland Ltd. (Google Ads, Google Analytics 4, Google Tag Manager)
  • Stape (server-side tracking / CAPI Gateway)

Customer management and communication:

  • SuperOffice CRM
  • Brevo (email and transactional mail)
  • Ninjaforms (web forms)
  • Nimbata (call tracking)

Operations and infrastructure:

  • Microsoft Ireland Operations Ltd. (Microsoft 365 – email, file sharing, and collaboration)
  • Cloudflare, Inc. (DNS, content delivery, hosting)
  • Oderland Webbhotell AB (web hosting)
  • Supabase, Inc. (database for internal dashboards)

Consent management:

  • Cybot A/S, trading as Cookiebot by Usercentrics

All processing of personal data takes place in accordance with the GDPR. Transfers to third countries take place on the basis of Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework, as described in section 6.

8 INFORMATION SECURITY

Our processing of your personal data is carried out in a secure manner and in accordance with requirements according to the privacy regulation in force at any given time. We have implemented necessary technical and organizational security to ensure appropriate information security for the personal data we process.
Regular risk assessments are carried out for this processing, and we have established routines for dealing with any personal data breach, including routines for notifying the Data Protection Authority and possibly also registered persons who are affected by the breach.

9 RIGHT TO ACCESS, RECTIFICATION AND ERASURE OF PERSONAL DATA

In accordance with current data protection regulations, you have several rights related to our processing of your personal data.

Your rights under the data protection regulations are:

  • With the exceptions that may follow from national legislation, you have the right, at any time, to request access to personal data we process about you. You may also demand rectification of any inaccurate or incomplete personal data concerning you. Under certain circumstances, you have the right to demand that we erase your personal data. Further regarding erasure, see below.
  • In some cases, you have the right to demand that we limit the processing of your personal data and/or the right to protest against the processing of your personal data.
  • In some cases, you have the right to be distributed (receive) personal data you have shared with us, in a structured, regular, and machine-readable format, and you can request for data to be transferred to another data controller, e.g., another similar organization (so-called right to data portability).

Inquiries regarding your rights can be directed to [email protected]. Other contact information can be found below. We may ask you to confirm your identity before we possibly assess and process your inquiry if we find it necessary to ensure data security and privacy.

We will respond to your inquiry as soon as possible, and no later than one month.

10 DETAILED ABOUT THE RIGHT TO ERASURE

We will erase all personal data we process about you without undue delay, after we have received your inquiry for such deletion, and in accordance with the deadlines that follow from the general data protection regulation. However, the information will not be erased if we have other legal bases for processing and the need for continued storing your personal data. If there is such a basis for processing, we will provide information about this when you contact us, including information about the basis for processing and when the information may be erased.

11 COMPLAINT ABOUT PERSONAL DATA PROCESSING

You may complain to a data protection supervisory authority if you believe that our processing of your personal data is not in accordance with this privacy statement or applicable privacy legislation. You can lodge a complaint with the supervisory authority in your country of residence, place of work, or place where the alleged infringement occurred.

As Hallgruppen AS is established in Norway, the lead supervisory authority is the Norwegian Data Protection Authority (Datatilsynet):

https://www.datatilsynet.no/om-datatilsynet/kontakt-oss/

A list of all EU/EEA data protection authorities can be found here:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

12 CHANGES TO THE PRIVACY STATEMENT

We reserve the right to update and amend this privacy statement when needed and required by the current privacy legislation. You will always find the current version of our privacy statement on our web pages.

OUR CONTACT INFORMATION

Hallgruppen AS
Karoline Eggens vei 3
2016 Frogner
Norway
Org. no. 915 846 432
Phone: +47 40 00 50 77
Email: [email protected]

***

This privacy statement was last updated on 15 May 2026.