At Norican Group we are committed to providing excellent service to our customers, suppliers, business partners and employees. As providing this service involves collection and use of personal data about our customers, suppliers, business partners and employees, the protection of their personal data is high priority for us.
While we have always respected privacy and safeguarded personal data, we have strengthened our commitment to protecting personal data as a result of the EU General Data Protection Regulation (GDPR), which will effective begin May 25th, 2018.
We will inform customers, suppliers, business partners and employees about what personal data we collect, use, share and for how long time we will store the information. We will obtain their consent for such processing if required.
We will include the processing terms and consents in our standard business agreements (general T&Cs) and employment contracts. With respect to agreements already in operation, we will verify that the terms cover what is needed and if not, either include adequate provisions in an updated agreement or an amendment.
- Personal data – means information about an identifiable individual natural person. Personal data also includes contact details on employees within companies such as a work email address (contact persons).
- Company information – means information that relates to the company as such, e.g. the company name, business address, business registration number, financial information, etc.
- Data subject – means the individual person to whom the personal data relates.
- Data Protection officer – means the employee appointed by Norican as responsible for ensuring that Norican complies with this policy and the GDPR in general.
2. Collection and processing of personal data
Personal data will always be:
- Obtained for one or more specified and lawful purposes and not kept for longer than is necessary for those purposes except if the data is anonymised.
- Adequate, relevant and not excessive in relation to the purposes for which it is processed. Further processing shall not be in a manner incompatible with the original purposes.
- Accurate and where necessary kept up to date by use of periodic and relevant checks. Personal data which turns out to be inaccurate or misleading is erased or rectified without delay.
- Processed in accordance with the rights of data subjects under relevant legislation.
- Subject to appropriate technical and organisational measures taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Norican collects and uses personal data for a variety of legitimate business purposes, including customer and supplier identification and management, recruitment, managing all aspects of terms and conditions of employment, communication, fulfilment of legal obligations or requirements, performance of contracts, providing our services to customers, transportation of products, etc. Norican will also comply with legal requirements in a specific country.
3. Legal basis for processing - Use of consent
In most cases, we request consent prior to the collection of personal data.
If the collection, registration and further processing of personal data on customers, suppliers and other business relations are based on such persons’ consent, the consent shall be:
- provided voluntarily (the person providing his or her consent must not feel pressured to do so.);
- specific and unambiguous (so that he or she is aware of the scope of the consent);
- informed (each individual shall be provided with information regarding the type of personal data processed, the purpose of the processing, any transfers of personal data, etc.).
To process sensitive personal data the consent shall also be explicit. Please note, that any processing of sensitive information is subject to a relevant and legitimate purpose.
Processing of personal data regarding customers, suppliers or other business relations may in certain cases also be based on another legal basis than consent, e.g. if the processing is necessary for the purposes of the legitimate interests pursued by Norican, and these interests are not overridden by the interests of the data subject. In addition, in case an agreement (e.g. a supply or delivery agreement) has been entered into, personal data required to fulfill such agreement can be processed. Further, consent is not required in situations where Norican is obligated to process the personal data in order to comply with applicable legislation or requests from authorities. However, sensitive personal data shall be not be processed without the data subjects’ explicit consent unless the processing is specifically authorised by law.
In case the collection and processing of personal data relates to agreeing or fulfilling a contract, we will not request further consent from the data subject.
The data subject may withdraw his/her consent at any time and upon such withdrawal, we will stop collecting or processing personal data about that person unless we are obligated or entitled to do so based on another legal basis.
4. Transfer of personal data
We will only use the personal data collected to fulfill the specific purposes for which the personal data is collected.
We will not sell or provide personal data to third parties except when required due to legal requirement in a specific country or fulfilling an agreed contract - e.g., an employment agreement.
Personal data shall only be transferred/disclosed to third parties if a legitimate purpose for the transfer/disclosure exists. If the recipient is acting as a data processor, please refer to clause 7 below.
If the third-party recipient is located outside the EU/EEA, the transfer/disclosure can only be completed if the data subject has consented to such transfer/disclosure or if a transfer agreement has been entered into between the Norican entity and the importer of personal data (third party).
5. Disclosure of personal data within Norican Group
We will only disclose personal data to employees within Norican having a legitimate business purpose (e.g., work tasks) to processing said personal data and such disclosure will not comprise more personal data than truly needed to fulfill such purpose(s).
6. Ensuring accuracy of personal data
We will make commercially reasonable efforts to ensure personal data is accurate and complete and conduct periodic updates hereof.
7. Personal data processed by 3rd parties – data processors
A data processor is a company, which processes personal data on behalf of Norican and in accordance with Norican’s instructions. Before disclosing the personal data to the data processor, Norican will enter into a written data processing agreement with the company processing the personal data on Norican’s behalf. The data processing agreement will ensure that Norican controls the processing of personal data which takes place outside Norican but, for which Norican is responsible.
8. Rights and obligations of the data subjects
When Norican collects and registers personal data on, e.g., employees, customers, suppliers, other business partners, etc., Norican is obligated to inform such persons about the purpose(s) of the processing of the personal data collected, possible transfers of the personal data, when the personal data will be deleted, the right to access the personal data, etc. As a general rule such information shall be provided to the data subject when the personal data is collected.
Any data subject has the right to request access to the personal data which Norican processes or stores about him/her. In addition, such persons may object to the processing and require that incorrect personal data be updated, corrected or deleted.
Under certain circumstances the data subjects also have the right to receive the personal data registered in a structured and commonly used and machine-readable format.
9. Questions and complaints
We have appointed a contact person for each set of personal data should there be questions to the personal data collected. Said person will be specified in the consent form. We have appointed a Data Protection Administrator (DPA) who will be responsible for ensuring that Norican Group complies with the legal requirements in each country, where we operate. Complaints related to how Norican Group handles or collects personal data can be forwarded via e-mail.
We will continually review and update our security policies and controls to ensure compliance with laws and regulations as well as adequate privacy security.