Schibsted as controller of your personal data
Empowering people in their daily lives through our products and services is at the core of Schibsted’s business. We have a range of different sites, products and services, and use data across these to deliver this core purpose under the controllership and responsibility of country specific Schibsted controllers. Handling personal data in a secure way, so that we can receive and maintain our users’ trust in us and our services, is of paramount importance for us.
We value our users’ privacy highly. We also know that using personal data is key to delivering the products and services our customers expect. We strive to be completely transparent about our processing of personal data, and commit to always seek the right balance between privacy and commercial interests. If you have any questions, do not hesitate to contact our privacy team.
This document gives you a high-level overview of what we collect, why we collect it, who it may be shared with and how to access your rights over your personal data. To read a more detailed description of how personal data is processed in each Schibsted country, please consult the country specific privacy and cookie policies. We refer to these throughout this document.
If you have questions or queries about Schibsted’s processing of your personal data, you can reach the Schibsted privacy team via this contact form. We promise to respond to all queries within 30 days.
You can also address any concerns or complaints at any time to the national data protection authorities: Datatilsynet in Norway, Integritetsskyddsmyndigheten in Sweden, Tietosuojavaltuutettu in Finland, and Datatilsynet in Denmark.
The purposes Schibsted uses your personal data for
Within the services that we offer, Schibsted primarily uses your personal data for the following purposes:
- We deliver high quality news and journalistic content, as well as related product functions. Our users get access via digital services online, or physical delivery by mail. We use personal data to manage these customer relationships.
- We provide online marketplaces that facilitate consumer-to-consumer and business-to-consumer transactions, marketing and communication. We also let professionals post job advertisements and job seekers apply for relevant jobs.
- We provide price and product comparison services , where users may review products and online stores, and access the different online stores via links.
- We provide distribution, delivery and connected services for delivery of products such as, but not limited to, newspapers, packages, magazines, bread and juice. We deliver products from our own brands to the home address or a local pick up point of our users.
- Through Schibsted account, or other site specific log-ins, we offer secure access to our services. Here you can also manage your privacy choices, verify your contact details and establish a trusted identity for interactions with other users of our services.
- We provide customer service to users via telephone, email, the social media pages of our brands and chat.
- We manage payments, invoicing and additional activities and documentation we are required to do under book-keeping regulations.
- We improve our services based on analyses of user behavioural data, surveys and user research.
- We keep our sites and services secure, using data to protect our users and ourselves from fraudulent activities, violations of our policies and abusive behaviour.
- We show targeted advertising to users and measure its effectiveness.
- We deliver personalised content to users, for example a selection of personalised content on the front page of some news services, newsletters that we send to users of our services and recommendations of classified ads in our marketplaces.
- We show our users marketing messages for services from within Schibsted via email, in-product sales offers and other channels, such as social media platforms, including retargeting on third party sites.
- We provide our business with data insights and analytics that gives details about how the Schibsted ecosystem of services are being used, so that the people who are working with our services can get inspired, gain knowledge and provide our users with better products and services and even find use cases so new products and services can be created.
- We process data about professional partners and their employees within our business-to-business sales and services.
The categories of personal data processed by Schibsted
The categories of personal data Schibsted generally collects:
- Basic profile data (like name, address, email address, date of birth, gender and other profile data necessary for providing specific services.)
- Account data (like account activity and subscriptions to services, privacy settings, support queries, account security data (e.g. passwords))
- Information we receive from third parties (like tips, requests, notices and other feedback we receive from other users or third parties related to marketplaces services.)
- Payment, order and financial information (like purchase history and details, payments due and received, payment methods)
- User generated content (like comments on news articles, feedback through user surveys and user rating/reviews. Classified ads and messages between sellers and buyers on a marketplace.)
- Behavioural and technical data (like device identifiers, cookie identifiers, network address identifiers (IP address), user browsing and reading history and actions (clicks and user inputs), and email opening and reading data.)
- Location data (like GPS data and IP address as associated to location data)
- Inferred data about our users (like predicted interests and user preferences, likely locations, likely demographics)
- Advertising effectiveness data (like ad views, frequency and duration of views, and user interactions with the advertisement)
- B2B Client Details (for our corporate customers and our contact points within their businesses, we collected business role, related contract details, contact details)
How your personal data is shared with other parties
When Schibsted processes personal data, personal data is sometimes shared with other parties. These other parties are either
- Data processors, which mean companies operating under a binding legal agreement with Schibsted. They can only process data for the specific purposes that Schibsted allows them to and only use other third parties in that processing as allowed by Schibsted. Examples would include Amazon Web Services, Zuora, Braze, and similar companies.
- Data controllers, which mean companies who use the data independently and have full responsibility towards the user for the company’s use of the user’s personal data for the specific purposes data is shared for. They also have full responsibility for any third parties that may be involved in the processing of the user’s personal data. Schibsted would share that data only when it’s necessary to deliver a product or service to you (for example giving your address to a distribution service so they can make a home delivery or enable professional sellers on our marketplaces to deliver goods that our users have purchased etc). On those of our sites that show advertising, a selected list of companies and vendors are also allowed to buy ad inventory (space where advertising is allowed) from us. In some cases, this means that the companies and/or vendors act as separate data controllers for the data that is being processed.
Additionally, we may share personal data upon request or at our own initiative with public authorities in the markets we operate in if we consider that we are legally required to do so. This can be information relating to ads or message history. From time to time we may also assist and share relevant information that we are in possession of with the users of our marketplaces when they ask us to assist in disputes relating to i.e. fake or fraudulent ads, and we consider that information may help solve the dispute.
We also support scientific research and experimental development projects with data and insights from our services, however, in such cases we only provide the relevant institution with anonymised data sets.
Transfers of Data outside of the EU/EEA
Where Schibsted is the data controller and uses data processors that are located outside of the EU/EEA, we do this only in cases where
- the transfer location and recipient is judged to be adequate under rules established under the GDPR, or
- the transfer takes place under the standard contractual clauses as defined by the EU Commission to regulate such transfers under the GDPR and necessary supplementary safeguards have been implemented.
Schibsted operates with the general rule that we only keep user personal data for as long as we have to in order to fully execute the purpose for which it was collected. We also store data based on legal requirements like book-keeping and accounting requirements. Specific retention periods may vary depending on the country.
Your rights as a user and as a data subject
Users have legally defined rights relating to personal data about them. Schibsted is fully committed to supporting users in accessing and using those rights. Schibsted aims to respond to any requests related to these rights as quickly as possible, but always within 30 calendar days. We explain below, in a general level, which rights you have and how you can use them. For more information visit the country-specific privacy and cookie policies.
The right of access / the right of data portability
We provide access to data mainly via the Schibsted or other digital account administration interface. In some instances users may need to contact customer support to request access to their data.
The right to rectification
It is possible to correct profile details in the user’s digital account at any time.
The right to erasure
Users can request a deletion of their personal data as held by Schibsted at any time by accessing the Schibsted or other digital account administration interface. In some instances users may need to contact customer support to request data deletion.
The right to restrict processing and the right to object to processing
Schibsted provides choices and controls for users to manage how their personal data is processed. This includes the possibility to restrict and object to processing and withdraw consents connected to personal data processing. These settings can typically be found in the footer of websites and mobile application settings. Some of the controls are also presented on your Schibsted or other digital account administration interface. Read more about the controls offered in each country from the country specific privacy and cookie policies.
The right to avoid automated decision-making with legal or similar effects
Schibsted does not make automated decisions about our users that have any legal or similar effect.
Use of data for journalistic purposes
Schibsted media houses also process personal data for journalistic purposes. Due to freedom of speech and access to information concerns, there are large parts of the regulations for personal data that do not apply to processing of personal data for journalistic purposes. Schibsted media houses have a strong focus on information security and meet all the legal obligations of their business, as well as the obligations of their editorial operations.