Processing Purposes and Legal Bases – Full Details – Schibsted Norge/Sverige

Introduction

This document, which forms part of the Privacy and Cookie Policy of Schibsted Norge / Schibsted Sverige, describes the purposes for which Schibsted collects and processes your personal data from within your interactions with our services.

It also describes the legal bases under which we carry this out. A “legal basis” is the legally-defined reason why Schibsted believes it is allowed to collect and use specific types of data for specific purposes. We review these legal bases regularly, both based on feedback from users, regulatory and our business partners. 

If you disagree with our use of a given form of legal basis for collection and processing of data, you can raise it with us via the contact form for the Schibsted privacy team. We are committed to responding to all such queries within 30 days.

In the tables below blank spaces should be interpreted as mean this processing activity does not utilise that specific category of data.

You can find the legal definitions of consent and legitimate interest as legal bases here. In cases where Schibsted uses legitimate interest we have carried out a legitimate interest assessment to ensure we have put into place measures to fairly balance Schibsted’s legitimate interests with the rights of users of our services.

General Processing Purposes, Legal Bases and Affected Categories of Personal Data

Processing Purpose 1: General Service and Product Delivery

Purpose Explanation: Profile data, as well as user’s IP address and other device, browser and app technical information is processed in order to deliver the product or service-related content and functions to the user.

Legal Basis: Contractual obligation. 

Controls: No opt-out control for this is offered to users as this is strictly necessary for the delivery of the service.

Data Types Processed: User Profile data from Schibsted Account. 

*****

Processing Purpose 2: Service and product customization

Purpose Explanation: Customisation of the service to better meet the user’s needs with the customisations requested directly by the user. Users configure the properties of the services they receive from Schibsed, e.g. notifications, font size, product related newsletter subscriptions etc.

Legal Basis: Contractual Obligation

Controls: The controls for these processing activities are the user settings interfaces in each of our services. See here for more details of how to access these controls in Norway or Sweden

Data Types Processed: User Profile and Account Data from Schibsted Account, as well as Payment Data.

*****

Processing Purpose 3: Administration of Schibsted Account Log-In

Purpose Explanation: All processing activities related to the establishment, maintenance and delivery of a user’s Schibsted account.

Legal Basis: Contractual Obligation

Controls: The controls for this service are located within the administration screen for Schibsted Account. There is also control on the settings page of relevant services to allow users to opt out of the use of third party data to correctly maintain and update their account data and profiles, for example updating address information. See here for more details of how to access these controls in Norway or Sweden

Data Types Processed: User Profile and Account Data from Schibsted Account, Payment Data, Behaviour Data and Inferred/Derived User Data is used.

*****

Processing Purpose 4: Invoicing and Payment Processing Activities

Purpose Explanation: Processing user personal data to ensure easy and successful payment of monies owed to Schibsted for service subscriptions and other payments, as well as processing performed by Schibsted to collect payment through legal recourse in the event of payment default.

Legal Basis: Contractual obligation is the legal basis for all invoice and payment processing that is performed as part of normal contractual fulfillment of payment obligations. Legitimate interest is the legal basis for using personal data for legal recourse in collecting payment in case of payment default.

Controls: No opt-out control for this is offered to users as this is strictly necessary for the delivery of the service or is in the legitimate interest of Schibsted to ensure payments owed are completed.

Data Types Processed: User Profile and Account Data from Schibsted Account, Payment Data and Inferred/Derived User Data is utilised.

*****

Processing Purpose 5: Consumer-facing Marketing Communications 

Purpose explanation: Personal data may be used in personalised marketing towards you to promote other Schibsted services, based on how you currently use your current Schibsted services, e.g. VG+ users receiving promotional messages for VG+ or for Aftenposten+.

Legal Basis: Consent is the legal basis when user is not in a subscriber customer relationship with Schibsted. Legitimate interest is the legal basis when a user is in a subscriber customer relationship with Schibsted. 

Controls: Controls for this processing are available to users on the settings page of relevant services.  See here for more details of how to access these controls in Norway or Sweden. Schibsted also respects any objections to direct marketing by telephone or post as registered by users with national authorities.

Data Types Processed:  User Profile, User Account Data, User Behaviour Data, Inferred/Derived User Data and Location Data (GPS or IP-address based) is utilised.

*****

Processing Purpose 6: Customer Service and Care Activities

Purpose Explanation: The first related purpose is to process personal data to ensure we can engage with users who contact us by telephone, email and chat tools to solve customer service issues. The  processing activities also comprise recording of details of customer contact in text records and audio recordings, as well as details of the resolutions of each case. The second related purpose  is the use of personal data to send users personalised offers as part of their membership of loyalty programmes, e.g. A-kortet from Aftenposten. The third related purpose is to improve our customer service over time by a process within which customer enquiries are aggregated into anonymous data to help Schibsted measure our effectiveness in customer service. Personal data is accordingly used for creating statistics that is used for analysis of interactions between users and the tools/staff of a Schibsted company (e.g. VG in Norway or Aftonbladet in Sweden) to discover ways in which that company can improve customer service and the product itself. The fourth related purpose is the personalisation of content within the service of a given company (e.g. Aftenposten) via analysis of interactions of users with that service and via the user’s behaviour in that service over time. The underlying purpose of the personalisation is to ensure articles presented to users are relevant and engaging.

Legal Basis: Contractual obligation is the legal basis for handling customer enquiries. Legitimate interest is the legal basis for A-kortet related processing, for processing to improve product and customer service over time and for personalisation of service functionality and content.

Controls: Controls for this the legitimate-interest based processing are available to users on the settings page of relevant services. See here for more details of how to access these controls in Norway or Sweden

Data Types Processed: User Profile Data, User Account Data, User Behaviour Data, Inferred/Derived User Data and Location Data (GPS or IP-based) are utilised.

*****

Processing Purpose 7: Security related processing activities and anti-fraud or abuse processing activities:

Purpose Explanation: Analysis of log activity, transaction activity and other behaviours to ensure the stability of our services and the security of data stored by Schibsted, as well as ensuring compliance with our user policies and terms of use relating to for example acceptable user behaviour in debate and comment forums.

Legal Basis: Legitimate interest

Controls: There are no opt-out controls in the product for these activities. Schibsted does not typically allow users to withdraw from this processing as it is critical to protect the security of all our services to all our users.

Data Types Processed: User Profile Data, User Account Data, Payment Data, User Behaviour Data, Inferred/Derived User Data and Location Data (GPS or IP-based) are utilised.

*****

Processing Purpose 8:Data collection to allow users to access corporate/institutional news services 

Purpose Explanation: Giving access to premium news content online and via product newsletter for corporate/institutional users. Some users access premium content at no direct cost through subscriptions paid for by their employer or their educational (or other) institution. The user is identified via their device IP address being within the WIFI network range of the institutional client. Users also receive an email with information from their institution, but can opt out of that email.

Legal Basis: Legitimate interest

Controls: Controls for this the legitimate-interest based processing are available to users on the settings page of relevant services. See here for more details of how to access these controls in Norway or Sweden

Data Types Processed: User Profile Data, User Account Data and Location Data (GPS or IP-based) are utlised.

*****

Processing Purpose 9:B2B sales, purchase and marketing related customer data processing

There is a separate Privacy Policy for B2B customer data processing. This can be found here.

B2B Policy for Norway

B2B Policy for Sweden

Processing Purpose 10: Real Estate Advertising

Purpose Explanation: Schibsted works together with real estate brokers, who can place ads for properties for which they are promoting sales. You can find more information about this processing purpose here.

Legal Basis: Contractual obligation. 

Controls: No opt-out control for this is offered to users as this is strictly necessary for the delivery of the service.

Data Types Processed: Information which is present within the property advertisement.

*****

Advertising-Related Data Processing

Schibsted shows ads on our sites and apps. In the process of showing ads in the online context, we process personal data to target advertising to our users. In the information below, we have split up this general and high level purpose, in several related purposes. All these purposes are intrinsic to our online advertising business. 

Processing Purpose 11: Placing cookies and accessing cookie information.

Purpose Explanation: Cookies, device identifiers, or other information can be stored or accessed on your device for the purposes outlined in this document. Browser controls allow users to block cookies and similar devices. Further information about cookies can be found in the privacy and cookie policy. 

Legal Basis: Consent as defined with the national implementation of ePrivacy Directive within Norway and Sweden. In Norway and Sweden, a consent through browser settings and sufficient information is considered sufficient. Subsequent processing of personal data is governed by GDPR, and is covered by the other processing activities described below in this table.

Controls: Control on the placement of cookies can be executed through the browser settings on your device.

Data Types Processed: User Profile, Account Data and User Behaviour Data is used.

*****

Processing Purpose 12: Selection of basic advertisements. These are contextual advertisements

Purpose Explanation: Ads can be shown to you based on the content you’re viewing, the app you’re using, your approximate location to country level, or your device type (mobile versus tablet versus desktop).

Controls: Opt-out controls for contextual ads is not available, as this would remove any meaningful ability of Schibsted to fund our news and other online services to you via digital advertising.

Data Types Processed: User Profile Data and User Account Data is used to access your advertising settings data and device type/IP address data is utilised to deliver the ad content.

*****

Processing Purpose 13: Selection of personalised ads.

Purpose explanation: Personalised ads can be shown to you based on a profile about you. A profile builds upon information such as demographics, location and how you use Schibsted services. Personal data may also be used to customise offers to you from partners based on the range of Schibsted services you use. Schibsted can also use personal data to conduct marketing based on a “match” between your personal data and that of partners which identify you as someone who may benefit from the services they offer (so called CRM matching).

Legal Basis: Legitimate Interest.

Controls: Users are offered 4 separate controls in which they can opt out of specific targeting types, all of which are available through Schibsted Account privacy settings or About Me for non-logged in users. See here for more details of how to access these controls in Norway or Sweden

Data Types Processed: User Profile Data, User Account Data, User Behaviour Data, Location Data (GPS or IP-based) are utilised. If the user switches all these controls to “off”, then only contextual ads will be displayed (see processing purpose 11). No name, email address, address or other similar identifying information for users is shared with advertisers or other third parties.

*****

Processing Purpose 14: Measure Ad Performance

Purpose Explanation: The performance and effectiveness of ads that you see or interact with can be measured.

Legal Basis: Legitimate Interest

Controls: No controls are offered to users, as it is not possible to sell digital advertising without ad performance measurement being in place for advertisers. Revenues from these advertising services are critical to the news and other services that Schibsted delivers.

Data Types Processed: User Profile Data, User Account Data and User Behaviour Data are utilised. No name, email address, address or other similar identifying information for users is shared with advertisers or other third parties.

*****

Processing Purpose 15: Develop and improve advertising products.

Purpose Explanation: Your data can be used to improve existing systems and software, and to develop new products.

Legal Basis: Legitimate Interest

Controls:  No user-facing controls for this at this time.

Data Types Processed: User Profile Data, User Account Data, User Behaviour Data, Location Data (GPS or IP-based) are utilised. No name, email address, address or other similar identifying information for users is shared with advertisers or other third parties.

*****

Processing Purpose 16: Ensure security, prevent fraud, and debug ads products

Purpose Explanation: Your data can be used to monitor for and prevent fraudulent activity, and ensure systems and processes work properly and securely.

Legal Basis: Legitimate Interest

Controls: No user-facing controls for this, as security and fraud prevention is not a function users can opt-out from, for obvious reasons.

Data Types Processed: User Profile Data, User Account Data, User Behaviour Data, Location Data (GPS or IP-based) are utilised. No name, email address, address or other similar identifying information for users is shared with advertisers or other third parties.

*****

Processing Purpose 17: Selection of personalised content

Purpose Explanation: Your device can receive and send information that allows you to see and interact with ads and content.

Legal Basis: Legitimate Interest

Controls: No user-facing controls for this.

Data Types Processed: User Profile Data, User Account Data, User Behaviour Data, Location Data (GPS or IP-based) are utilised. No name, email address, address or other similar identifying information for users is shared with advertisers or other third parties.

*****

Processing Purpose 18: Anti-Ad-Block Processing

Purpose Explanation: If your browser or an add-in component to it attempts to block all ad content, this processing detects that activity and takes measures to ensure that ads are visible in the service.

Legal Basis: Legitimate Interest

Controls: No user facing controls for this at this time. Ads are a fundamental component of the revenue model of our services and blocking ads makes it impossible for Schibsted to receive fair remuneration for the services we provide to users at low or no cost.

Data Types Processed: User Profile Data and User Behaviour Data and IP address are utilised.

If you have questions about these processing purposes and their legal bases, contact the Schibsted Privacy team via this contact form for Norway and this contact form for Sweden. Schibsted is committed to answering questions within 30 days.

Continue reading...