Schibsted as controller of your personal data
Empowering people in their daily lives through our products and services is at the core of Schibsted’s business. We have a range of different sites, products and services, and use data across these to deliver this core purpose under the controllership and responsibility of Schibsted Sverige and, in Norway, of Schibsted Norge. Handling personal data in a secure way, so that we can receive and maintain our users’ trust in us and our services, is of paramount importance for us.
We value our users’ privacy highly. We also know that using personal data is key to delivering the products and services our customers expect. We strive to be completely transparent about our processing of personal data, and commit to always seek the right balance between privacy and commercial interests. If you have any questions, do not hesitate to contact our privacy team.
Personal data as used for journalistic purposes is under the control of the individual publishing organisations. You can find their contact details on the website of each organisation, e.g. vg.no or aftonbladet.se .
This document gives a summary of what data we collect, why we collect it, who it may be shared with and how to access your rights over your personal data. If you have questions or queries about Schibsted’s processing of your personal data, you can reach the Schibsted privacy team through this online contact form for Sweden or this online contact form for Norway. We promise to respond to all queries within 30 days.
The purposes Schibsted uses your personal data for
Schibsted primarily uses your personal data for the following purposes.
- we deliver high quality news and journalistic content, as well as related product functions, to our users via digital services delivered over the Internet to your device or traditional physical delivery by mail, and use personal data to manage these customer relationships
- through Schibsted account we offer secure access to our services, execute your privacy choices on your personal data and establish your trusted identity and verified contact details for interactions with other users of our services
- we provide customer service to users via telephone, email and online instant messaging
- we manage payments, invoicing and similar obligations our companies fulfill as driven by book-keeping regulations
- we improve our services based on analyses of user behavioural data
- we keep our sites and services secure, using data to protect our users from fraudulent activities or abusive behaviour
- we show targeted advertising to users within our services and measure its effectiveness
- we deliver personalised content to users within our services, for example partially personalised selections of content on the front pages of some news services
- we show our users and customers marketing messages for services from within the Schibsted family of brands via email, in-product sales offers and other channels.
- we process data about advertising customers, partners and their employees within our advertising sales business.
You can find a detailed breakdown of these purposes, as well as the legal bases which enable them, the legitimate interests pursued by Schibsted Sverige and other key information about the legal bases for personal data processing here.
Schibsted offers controls for users to allow them to manage these processing activities here for ads and via the settings pages of our services for all other processing activities as used by each individual service.
The categories of personal data processed by Schibsted
The categories of personal data Schibsted collects and the source of that data are shown in the table below.
|Personal Data Category||Description||Source|
|Basic profile data||Name, address, email address, date of birth, etc||Schibsted account and newsletter subscription pages, as completed by the user. We use third party sources such as Bisnode to check and complete profile data in some cases.|
|Account data||Account activity, privacy settings, support queries, account security data (e.g. passwords)||Directly from the user, via records of interactions with customer service representatives customer and via tools to track individual user behaviour.|
|Payment and financial data||Purchase history and details, payments due and received, payment methods (e.g. payment card details, bank details), customer demographic data||Directly from the user, via records of their payment activities and via third parties such as Bisnode for customer demographic data|
|User-generated content||Comments on news articles, competitions, online games (e.g. fantasy football)||Directly from the user|
|Behavioural and technical data||Device identifiers, cookie identifiers, network address identifiers (IP address), location data, user browsing and reading history and actions (clicks)||Directly from the user or from the user's device|
|Inferences about and recommendations for the user||Inferred interests, likely locations, likely demographics, etc||Derived by Schibsted from user behavioural and technical data over time, as well as from basic profile data.|
|Advertising effectiveness data||Advertisement viewing events, frequency of view, duration of view and user interactions with the advertisement||Directly from the user's interactions with advertising content displayed in the website or app|
|B2B Client Details||For our corporate customers and our contact points within their businesses, we collected business role, related contract details, contact details, etc||Directly from the user in their contact with Schibsted representatives|
How your personal data is shared with other parties
When Schibsted processes personal data, personal data is sometimes shared with other parties. These other parties are either
- Data processors, which mean companies operating under a binding legal agreement with Schibsted Sverige/Schibsted Norge and who can only process data for the specific purposes that Schibsted Sverige/Schibsted Norge allows them to and only using any other third parties in that processing as allowed by Schibsted Sverige/Schibsted Norge. Examples would include Amazon Web Services, Zuora and similar companies.
- Data controllers, which mean companies who in their own right have full responsibility towards the user for the purposes to which their personal data is put and full responsibility for any third parties that may be involved in the processing of user personal data. In Schibsted, such disclosure could take place because it’s necessary to deliver a product or service to you (for instance providing your address to a distribution service in order to deliver a product). On our sites showing advertising, a selected list of companies and vendors are also allowed to buy ad inventory from us, which in some cases means that the companies and/or vendors act as separate data controller for the data being processed. More information about what happens when you are shown targeted advertising can be found here .
We keep publically available of a list of both categories of processors and controllers that we disclose data to. The full list with details can be found here.
Transfers of Data outside of the EU/EEA
Where Schibsted is the data controller and uses data processors that are located outside of the EU/EEA, we do this only in cases where
- the transfer location and recipient is judged to be adequate under rules established under the GDPR, or
- the transfer takes place under the standard contractual clauses as defined by the EU Commission to regulate such transfers under the GDPR, or
- the recipient is based in the USA and is certified under the Privacy Shield mechanism, thus ensuring sufficient data protection according to GDPR.
You can find more detailed information about the data processors we use here.
Schibsted operates with the general rule that we only retain user personal data for as long as is minimally necessary to execute fully the purpose for which it was collected, purposes which must have been communicated to our users and which must have a legal basis under privacy regulations.
We interpret that into these three high level rules that summarise our policy:
- We retain Schibsted account profile data for as long as the user is paying for a subscription service or for as long as the user has actively used that account to access our services in the last 3 years. User accounts that have been inactive for 3 years will be deleted.
- We retain behavioural, technical (e.g. IP address) and real-time location data for targeted advertising purposes for 30 days or less.
- We retain behavioural and technical data for product improvement, content personalisation, security logging, service stability/performance logging and for Schibsted’s own marketing purposes for 18 months or less (see full details in link below). Location data based on IP addresses is retained for advertising product improvement purposes for a maximum of 125 days.
There is considerable detail underlying the specific application of data retention periods by purpose, by data type and by user type. The full detail can be found here .
Your rights as a user and as a data subject
Users have legally defined rights relating to personal data about them. Schibsted is fully committed to supporting users in accessing and using those rights. The table below shows users their rights and how they can access them. Schibsted aims to respond to any requests related to these rights as quickly as possible, but always within 30 calendar days.
|User or Data Subject Right||How to access||Further information|
|The right of access / the right of data portability||Users can access a full electronic copy of all personal data Schibsted Sverige holds about them via the Schibsted account administration interface.||Users in Sweden can access the Schibsted account administration interface here.|
|The right to rectification||Profile details associated to the user's Schibsted account can be corrected at any time by accessing the Schibsted Account administration interface and updating your data.
If users believe we hold any other data about them that may require rectification, they should contact the Privacy team at Schibsted.
|Users in Sweden can access the Schibsted account administration interface here.
Users in Sweden can contact the Privacy team at Schibsted using this contact form here.
|The right to erasure||Users can request a deletion of their personal data as held by Schibsted Sverige at any time by accessing the Schibsted account administration interface.||Users in Sweden can access the Schibsted account administration interface here.|
|The right to restrict processing and the right to object to processing||Users can restrict how Schibsted Sverige processes their personal data in the following ways:
- users can alter their permissions for various forms of targeted advertising
- users can alter their permissions for personal data use for product improvement, for marketing, customer service and for communications such as news alerts, newsletters and emails via the settings pages of each service.
Users can also contact the Schibsted Privacy team to request a restriction or to object to any other form of processing.
|Targeted advertising processing controls are here.
Controls for other processing are here
Other news brands have their settings pages prominently displayed in their product navigation.
Users in Sweden can contact the Schibsted Privacy team using this contact form here.
|The right to avoid automated decision-making with legal or similar effects||Schibsted Sverige does not take automated decisions about our users that have any legal or similar effect.||If you have any concerns about potential automated decision making that you believe does affect you in legal or similar ways, please contact the Schibsted Privacy team.
Users in Sweden can use this contact form.
Use of data for journalistic purposes
Schibsteds media houses also process personal data for journalistic purposes. Out of consideration of freedom of speech and freedom of information concerns, there are large parts of the regulations for personal data that do not apply to processing of personal data for journalistic purposes. Schibsteds media houses have a strong focus on information security and meet all the legal obligations of their business, as well as the obligations of their editorial operations. Personal data from Schibsted Account or from behavioural data as gathered by Schibsted Sverige will not normally be used for journalistic purposes.
Contacting Schibsted, the Data Protection Officer or filing a complaint with the data protection authority
Schibsted takes the personal data privacy of its users very seriously. If you have a query or a complaint about how we process your personal data, you can contact the Schibsted privacy team through this online contact form. Schibsted commits to responding to queries as quickly as possible, and at least within 30 days.
If you remain unhappy with our privacy services or our processing of personal data, you can take up your query at any time with the relevant regulator, usually Datainspektionen in Sweden or, for cookie-related processing, PTS. Likewise, in Norway you can take up your query with Datatilsynet or NKOM for cookie-related processing.
For simpler queries we strongly recommend you use the online Schibsted account tools to execute data access / portability requests and data deletion requests, as well as to correct any inaccuracies in your Schibsted account profile.
You can also alter your choices at any time for the most common activities Schibsted executes using your data via the settings pages of each brand service or using this tool for advertising. If you are unable to use those services for any reason or wish to restrict or object to processing directly, you should use the online contact form to reach out to the Schibsted privacy team.