1. Information on the processing of personal information and the controller
Schibsted Norge AS collects and processes personal information about our customers, partners and employees of our advertisers in connection with advertising sales. It is our responsibility to treat the data safely, both in terms of legal requirements and the expectations of our advertisers.
Schibsted Norge AS is responsible for the processing of personal data described here.
The information you find here applies to the processing of personal data in connection with Schibsted’s advertising sales, and does not include the processing or collection of personal data relating to users on Schibsted’s websites. To learn more about how we collect and manage the user’s personal data, you can read more about this in our privacy portal, which you can find here.
2. The Personal Data Act
As of May 25, 2018, a new regulation replaced the previous EU / EEA privacy legislation, the General Data Protection Regulation, often abbreviated GDPR. The information in this document is structured to comply with the GDPR rules on information and transparency.
3. Collection and processing of personal data in Schibsted's advertising business
The personal data Schibsted collects in connection with the advertising business is mainly used to carry out the sales process and the agreement with the customer, and to maintain contact with our active customers. This could mean that we store names and phone numbers in order to follow up a customer contact after a sales meeting, and that we process personal information in connection with order tracking and invoicing. Another example is that we store contact information for a person who works for a company that is a customer of Schibsted. More detailed information on the purposes of processing personal data can be found in paragraph 7 below.
Schibsted also stores personal information in order to have a complete accounting basis in accordance with the Accounting Act, e.g. names of customer references stored in invoices.
How do we collect personal information?
We collect personal information in the following ways:
- When a person completes one of our contact forms on the internet
- When a person is in contact with our sellers or partners to buy advertising
- By gathering data on contact persons on companies’ websites or encyclopedias such as gulesider/eniro.
- When a person signs up to use our services, for example through FINN.no or EasyAd
- From a third-party provider of data, such as IPER or UC (data provider that collects business information from the Brønnøysund Register and enriches it with data from other public sources)
- By attending some of our events
When we receive the information directly from an individual, a link to this privacy statement will be available when the information is collected. For all processing of personal data as described in this privacy statement, the customer and the contact person are registered in our customer system. When registering contact persons, an email is sent immediately to their email address with a link to this privacy statement. When information is not collected directly from the individual, information about the controller is given immediately.
4. Categories of personal data (what personal data is processed)
The table below lists a complete overview of the personal data collected in connection with Schibsted’s advertising activities. The personal information collected will vary based on whether you are in contact with us as a private person or whether you are acting on behalf of a company.
| Personal data category | Description |
|---|---|
| Name | The name of the customer, or the name of a contact person at a company that is a customer (advertiser) at Schibsted. |
| Telephone number | Telephone number of the customer or a contact person of a company that is a customer (advertiser) at Schibsted. |
| E-mail address | E-mail address of the customer or of a contact person of a company that is a customer (advertiser) at Schibsted. |
| Function / Role | Function and role of a contact person at a company that is a customer (advertiser) at Schibsted. |
| Employer | Customer / Affiliate / Advertiser who is the company a contact person represents. |
| Organization number | Organization number for a single company. |
| Meeting notes | Notes from meetings and conversations with our sales people.. |
| Address | Customer's address (advertiser). |
| E-mail correspondence | E-mail containing personal information that you have sent or received via your e-mail address. |
| Information on response to newsletters and invitations | When sending out newsletters and invitations, any response that the recipient registers is stored, as well as information on when and how many times the newsletter / invitation was read. |
| Events | Overview of which events a person has signed up for, any allergies and if the person has attended the event. |
| Purchase history | History of the products that have been purchased, as well as the time and price. |
5. Storage time
Personal information is stored for a certain period of time and then deleted. The types of data stored and how long are described in the table below.
| Material or document | Storage time |
|---|---|
| Customer card (a description of the customer - legal information, contact information, overview of associated sales people, contacts, activities and purchase history) | Companies from Brønnøysund or UC are stored and maintained in the system, including contact information at these companies. 12 months * after the last activity or turnover of the customer, all personal data (contacts) associated with the company is deleted. |
| Name and any other information regarding the customer and contacts in the CRM system | When a customer is deemed inactive (see above), based on there having been no turnover or activity on the customer for the past 12 months, * all personal information on the customer card (including associated contacts) will be deleted. When personal contact information for a contact person is obtained from public sources (eg a corporate website) and the customer is not an active customer, the contact is deleted within 3 months after they have been collected. This will happen in cases where we work with a potential customer. If a customer relationship is established, the usual deletion time as described above applies. If a contact specifically requests to be deleted, we will delete both the contact and all associated information about that contact. |
| Primary documentation according to the Accounting Act | 5 years |
| Secondary documentation according to the Accounting Act | 3,5 years |
| Meeting notes and other customer-related notes | Notes related to the customer (company) are maintained as long as the customer exists in the system. Contacts-only notes are deleted when the contact is deleted. |
| Booked meetings | Booked meetings related to the customer (company) are maintained as long as the company exists in the system. Bookings associated with contacts are only deleted when the contact is deleted. |
| Information on response to newsletters and invitations, as well as registration / participation in events. | The information is related to the contact person who received the newsletter / invitation. This is whether the recipient opened the newsletter and possibly links in the newsletter that were clicked on. For invitations, information is stored about which events the recipient signed up for, and whether the person participated. This information is maintained as long as the contact person is maintained. When the contact is deleted, this information is also deleted (see section on personal data above). Responses to surveys are maintained with the respondent for 30 days, and then the response is anonymized. |
* A customer is considered active for a period of up to 12 months after the last activity and / or turnover of the customer. After this period, the customer is no longer considered an active customer by Schibsted Marketing Services.
6. Purpose and legal basis for processing personal data
Whenever personal data is processed, a legal basis for the processing is required. The GDPR provides several alternative legal bases. The table below describes the legal basis Schibsted relies on for each processing purpose when processing personal data. Below is a general description of the different types of legal bases we rely on:
Contract: The data subject has entered into, or shall enter into, a contract with us. In cases where we rely on a contract as legal basis, the processing of personal data is necessary for us to fulfill the agreement, and the consequence of not collecting data means that we cannot enter into a contract. If you do not want us to process this information you will not be able to buy our products and services.
Legal obligation: In some contexts, we are required by law to process personal data. Typically, this refers to processing of data for bookkeeping purposes.
Legitimate interest: It is permissible to process personal data if we have a legitimate interest in processing such information, and the legitimate interest is not outweighed by the interests of the data subject. In cases where Schibsted uses legitimate interest we have carried out a legitimate interest assessment to ensure we have put into place measures to fairly balance Schibsted’s legitimate interests with the rights of users of our services.
The table below provides an overview of the personal information Schibsted collects, the purpose for which it is used, and the basis for the controller.
| Purpose | Personal data category |
Legal basis |
|---|---|---|
| To handle advertising orders purchased through our salespeople or companies using our advertising system. | Name | Contract |
| Organization number |
||
| Telephone number | ||
| Address | ||
| E-mail address | ||
| E-mail correspondence | ||
| In order to invoice individual companies and individuals, we need to store information about the buyer. | Name |
Contract |
| Organization number | ||
| Telephone number |
||
| Address | ||
| E-mail address |
||
| To manage and store e-signed agreements. | Name | Contract |
| Organization number | ||
| E-mail address | ||
| E-mail correspondence | ||
| To be able to follow up the customer and manage the contractual agreement. | Name | Contract |
| Telephone number |
||
| E-mail address | ||
| Role and function | ||
| Employer | ||
| Meeting notes | ||
| Address | ||
| E-mail correspondence | ||
| Purchase history | ||
| To be able to do credit checks (for corporate customers only). | Name | Contract |
| Organization number | ||
| To fulfill the requirements of the Accounting Act | Name of company / private person and possible organization number | Legal obligation to the Accounting Act |
| Telephone number | ||
| E-mail address | ||
| Invoice address | ||
| The nature and extent of the benefit, the time and place of delivery of the benefit, as well as other statutory invoice information | ||
| Agreements, correspondence and order confirmations in accordance with the accounting act | ||
| To invite potential and existing customers and partners to events, we store contact information about the companies and employees of these companies with whom we are in contact. | Name | Legitimate interest: Processing is necessary to invite customers and partners to events. We use the stored information to limit to whom invitations are sent, so that the invitation is most relevant to those who receive it. |
| Role and function | ||
| Telephone number |
||
| E-mail address | ||
| Employer |
||
| Allergies | ||
| Response to newsletters and invitations | ||
| Registration and participation in previous events | ||
| To customize future newsletters based on how a person has responded to previous newsletters, and to clarify which future events the contact should be invited to, e.g. a follow-up course to a previously completed course. | Name | Legitimate interest: We use the stored information to limit who we send invitations to, so that the newsletter is relevant to those who receive it. For example, an invitation to a follow-up course, which only, should be sent to those who participated in the first course. |
| Role and function | ||
| Telephone number | ||
| E-mail address | ||
| Employer | ||
| Response to newsletters and invitations | ||
| Registration and participation in previous events | ||
| We store contact information about the companies and their employees in order to send out information and customer surveys to potential and existing customers and partners. | Name | Legitimate interest: The processing is necessary to be able to send information and surveys to whom it may be relevant for. |
| Role and function | ||
| Telephone number | ||
| E-mail address |
||
| Employer |
||
| Response to newsletters and invitations | ||
| Registration and participation in previous events |
7. Use of data processors
We use suppliers that process information about companies and individuals on our behalf. Some of these providers will have access to personal information. An example of a service we use is data storage capacity for our customer processing systems. The service providers are our so-called ‘data processors’. This means that we are still responsible for the processing of personal data. The data processor can only process personal information in order to provide the service in question to us. The processor can only process the data in accordance with our instructions. They cannot use the data for their own purposes. Our use of data processors is carefully considered, including the information security of the supplier, to ensure that the data is processed correctly. We enter into data processing agreements regarding the processing of personal data with our suppliers in accordance with statutory requirements.
8. Rights and how they can be exercised
You, the customer, partner or employee of our advertisers, are always the owner of the personal data we store. This means that you have the right to access the data we have, and in some cases request that they be corrected or removed from our systems. Below you will find an overview of your rights. You may use these rights by contacting us as described in paragraph 9 below.
- Your right to know which information we process about you (right of access). You have the right to see what information about you we process.
- Your right to change incorrect information. You have the right to have incorrect information corrected.
- Your right to have data deleted («right to data deletion»). As a general rule, you have the right to have your personal data deleted. If such a request is made, we will ensure that the personal data that we store is either deleted or anonymized.
- Your right to oppose and limit data processing. In some contexts, we may process personal data if the processing is necessary to fulfill our legitimate interests, provided that the data subject’s right to data privacy does not weigh more heavily. In such cases, as a data subject, you have the right to protest that we process personal data about you. As a general rule, we will then stop this processing of personal data, and this applies without exception if the purpose is direct marketing. In some contexts, you also have the opportunity to request that the processing of your personal data be stopped or restricted. If you exercise this right, your information may only be processed based on your consent or for some other purpose that is directly stated in the Personal Data Act.
- Your right to obtain a copy of your data in digital format (right to data portability). You may, in certain circumstances, receive the information you have provided us in a digital format. If technically possible and justifiable, you also have the right to have information transferred to another company. This right applies only to information that is processed by automated methods and is based on your consent, or that is processed in order to fulfill an agreement with you. The right to data portability includes only information that you have provided to us, either directly through, for example, contact forms or generated through your use of our services.
You can see a complete overview of your rights on the Norwegian Data Protection Authority’s website. We would like to remind you that there are some exceptions to the rights we have described here. These exceptions are governed by the legislation and may, for example, mean that some information is not disclosed due to the rights and privacy of other persons, or that some personal data cannot be deleted because other legal requirements or considerations entail storage requirements.
9. How do you contact us with questions about privacy or to exercise your rights?
To exercise your rights or if you have any questions about our processing of personal data in accordance with these rules, please contact us on this contact form.
Schibsted Norge AS
Akersgata 55
0180 Oslo
Org.no. 996334767
One of our most important tasks is to process data in a safe, user-friendly and responsible manner. If you are dissatisfied, have suggestions on how we can improve or other input, please contact Schibsted Media’s Data Protection Officer.
You also have the right to complain about our processing of your personal data to the Norwegian Data Protection Authority.
