Privacy Policy

1. About the privacy policy document

Your privacy is important to Dokka Fasteners, and we are committed to protecting the integrity, availability, and confidentiality of your personal data. This document is intended to help us comply with the Personal Data Act of 2018. All personal data processing in Dokka Fasteners must always comply with the applicable data protection regulations. This privacy policy provides detailed information about what personal data is collected, how the data is collected and what rights you as a customer, supplier or employee have when your personal data is registered with us. 

2. Data controller

The CEO of Dokka Fasteners is the main controller for the processing of personal data carried out by the company. Responsibility for the daily follow-up of our compliance with the data protection regulations is delegated to the HR Director. This privacy policy applies to Dokka Fasteners’ departments in Norway and Denmark. The company is responsible for all personal data we process, whether for customers, suppliers, employees, or other business associates. The company is responsible for complying with the obligations arising from the rules on personal data. 

3. Knowledge of the personal data rules

We shall ensure that the relevant employees are aware of the rules on personal data, including this document on data protection. The level of knowledge shall be adapted to the individual employee’s needs when processing personal data. Management and some key functions within IT and HR shall have special knowledge of the regulations. 

4. Mapping of the processing of personal data

The company has mapped all processing of personal data in a separate mapping form. This records which data is registered, the purpose of the processing, how we process the data and on what basis we process the data. The mapping also delegates who is responsible. Mapping helps to ensure that we comply with the processing of personal data and provides a basis for further mapping in the event of any new systems/procedures that include the processing of personal data. 

5. Basic requirements for the processing of personal data.

The GDPR has seven basic requirements for the processing of personal data.

  • Lawful, fair and transparent. The data shall be processed in a lawful, fair and transparent manner regarding the subject. 
  • Purpose limitation. Personal data shall be collected for specified, explicit and legitimate purposes and shall not be further processed in a way incompatible with those purposes. 
  • Data minimization. Personal data shall be adequate, relevant, and limited to what is necessary for the legitimate purposes and not further processed in a way incompatible with those purposes. 
  • Accuracy. Personal data must be accurate and, where necessary, kept up to date. Appropriate measures must be taken to ensure that personal data that is inaccurate in relation to the purposes for which it is processed is erased or rectified without delay. 
  • Storage limitation. The personal data processed shall not be stored for longer than necessary to achieve the processing’s purpose. 
  • Integrity and confidentiality (confidentiality). The personal data processed shall be protected so that unauthorized persons do not gain access to the personal data and so that the personal data is intentionally altered. 
  • Accountability. The company shall comply with the General Data Protection Regulation. 

If personal data is used for purposes other than those for which it was collected, see point b. above, we shall always assess whether the new or changed purpose is compatible with the original purpose. We shall then take into account the factors set out in Article 6(4) of the GDPR.

6. Basis for processing personal data

 

6.1 Basis for processing

We shall have at least one of the following grounds for processing personal data: 

  1. The data subject has given consent to the processing of their personal data for one or more specific purposes.
  1. The processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract. 
  1. The processing is necessary for compliance with a legal obligation to which the controller is subject. 
  1. Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject prevail and require the protection of personal data, in particular if the data subject is a child (balancing of interests) 

It must be clear from the mapping form which basis(s) we have for processing data. 

If the basis for processing is the consent of the data subject, we must familiarize ourselves with the special rules that apply to such consent, including the requirement for documentation. If the basis for processing is our legitimate interest, we must specifically document the balance in writing, see below. 

6.2 Contact persons at corporate customers 

The processing of personal data is based on a balancing of interests. We need to keep in touch with our business customers in order to follow up on offers, orders and deliveries. This is a legitimate interest. That contact becomes effective only by contacting individuals directly. Processing is therefore necessary. 

The processing takes place in relation to the contact person’s employer, who is a customer of ours. In addition to names, we process general data, such as telephone number, email address and employer, all of which are primarily related to the contact person’s employment. The scope of the data is therefore limited. The processing of the data is related to the supplier’s business activities and not to the contact person’s private life. When consent is required under the Marketing Control Act, the contact person will also have given consent before we send marketing emails. Our processing of personal data is clearly foreseeable for the contact person. 

We believe that the legitimate interest overrides the interests of the contact person. 

6.3 Contact persons at suppliers 

The processing of personal data is based on a balancing of interests. We need to stay connected with our suppliers to follow up on offers, orders and deliveries, among other things. This is a legitimate interest. This contact is only effective by contacting individuals directly. Processing is therefore necessary. 

The processing takes place in relation to the contact person’s employer, who wishes to be our supplier. In addition to names, we process contact information, such as telephone number, email address and employer, all of which are primarily related to the contact person’s employment relationship and not to the contact person’s private life. The scope of the data is extremely limited. The processing of the data is related to the supplier’s business activities and not to the contact person’s private life. Our processing of personal data is clearly foreseeable for the contact person. 

We believe that the legitimate interest overrides the interests of the contact person. 

6.4 Job applicants 

The processing of personal data is based on a balancing of interests. We need to use data to assess applications that job applicants send us. This is a legitimate interest. It is not possible to assess an application without processing personal data. Processing is therefore necessary. 

We ask those who want to apply for a job with us to send us at least information about their name, education, work experience, references, etc. Job applicants will often provide additional personal data they consider relevant for the assessment of the application, such as contact information, family relationships and interests, in addition. In interviews, we ask questions to determine whether the job applicant is suitable for the position. In some cases, we may use tests or questionnaires for this purpose. If we decide to hire the job applicant, we may ask for additional information and documentation for information we have already received. Providing us with information is voluntary. 

We do not use the information for anything other than assessing the application. We do not provide the information to anyone else. We may retain information from job applicants for six months in case job applicants believe that their rights have not been met. 

We believe that the legitimate interest overrides the interests of the job applicant. 

6.5 Employees 

Processing of data is mainly based on legal obligations. Some of the processing is also based on a balancing of interests. We need to document that we have fulfilled our legal and contractual obligations after they have been fulfilled. We also need documentation for personnel administration for use in future personnel administration. These are legitimate interests. It is not possible to access the data in any other way than to store the data. Processing is therefore necessary. 

Our employees have an ongoing contractual relationship with us. The personal data we process is linked to this contractual relationship. It is information that employees have provided to us. The data relates to matters that an employer is likely to process. 

We believe that the legitimate interest takes precedence over the employee’s interests. 

6.6 Former employees 

The processing of most of the personal data is based on a balancing of interests. There may be a need for us to document personnel matters even after the employment relationship has ended, such as a dispute with the former employee. This may apply, for example, to documentation that we as an employer have fulfilled our obligations under legislation or the employment contract. This is a legitimate interest. It is not possible to access the data in any other way. Processing is therefore necessary. 

The processing involves storing the data for up to twelve months. We may store information about the employee being employed, the duration of the employment relationship and work tasks for longer. The data will not be disclosed to others without the former employee’s request, for example in connection with the assessment of employment with a new employer. 

We believe that the legitimate interest takes precedence over the interests of the former employee. 

6.7 Other contact persons 

Processing personal data is based on a balancing of interests. We need to have contact with public authorities, such as NAV and supervisory authorities in connection with public law matters where we may have obligations and rights. This is a legitimate interest. In some cases, this communication will only be effective if we can contact individuals directly. Processing is therefore necessary. 

We store names and contact details, and we use the data to contact the person’s employer. The data is related to the contact person’s employer’s business and not to the contact person’s private life. Our processing of personal data is clearly foreseeable for the contact person. 

We believe that the legitimate interest overrides the interests of the contact person. 

7. Basis for processing of sensitive personal data

Processing of sensitive personal data requires a legal basis for processing in addition to those mentioned in section 6. 

Sensitive personal data is data concerning racial or ethnic origin, political opinions, religion, beliefs, or trade union membership, as well as genetic data and biometric data for the purpose of uniquely identifying a natural person, health data or data concerning a natural person’s sex life or sexual orientation. 

If we are to process such data, we must ensure that we have a basis for processing. For our employees, information about health and trade union membership will be particularly relevant. Health includes, for example, illness and injuries and absence due to these. A particularly relevant basis for processing will be that processing is necessary in the capacity of an employer, for example when following up and reporting to public authorities or when facilitating the employment relationship. 

Processing of information about criminal offenses and violations of the law etc. is subject to special rules that we must familiarize ourselves with if we are to process such information. 

8. Information to data subjects (privacy statement)

We are required by law to provide information to data subjects. We will provide such information in a privacy statement, i.e. this document. We make the information available via our website. All data subjects must have access to the information that applies to them. Information to employees about the rules is provided at an information meeting and through our staff handbook. 

The information shall include the name of the company and contact information, the purpose of the processing, the categories of personal data, recipients of personal data (if they are disclosed), information about any disclosure of personal data to other countries, how long the personal data will be stored, the data subjects’ right to demand access, rectification or erasure of personal data, how the company gained access to the personal data and the opportunity to complain to the Norwegian Data Protection Authority. 

9. Rights of data subjects

We shall respond to inquiries from data subjects without undue delay. If we receive such requests, they must be sent to the CEO and HR Director. We will ensure that data subjects can exercise their rights with us. 

10. Erasure of personal data

We shall delete personal data without undue delay when it is no longer “necessary” for the purpose for which it was collected or processed. We will review this at least once a year. Our guidelines for deletion are set out below. 

Employees 

Generally, we retain all data for employment. Employees may request that data be deleted. This will be assessed on a case-by-case basis. Legislation may require a longer retention period. 

Former employees and job applicants 

See above on the legal basis for processing for these categories. Legislation may require a longer retention period than stated there. 

Contact persons at suppliers and customers 

We must delete the data when we become aware that the contact person has left the supplier or customer or that the supplier or customer has appointed a new contact person. The same applies when the supplier or customer relationship has ended. 

However, we may store the data for a longer period if we believe it may be necessary to document the contact we have had with the supplier or customer. This may apply, for example, to questions about rights or obligations in the contractual relationship with the supplier or customer. Legislation may also require a longer retention period. 

Other contact persons 

We will delete the data when we become aware that the person is no longer relevant to our needs, including if the person leaves the company, public agency, etc. 

However, we may store the data for a longer period if we believe it may be necessary to document contact with the person or the person’s employer. This may apply, for example, to questions about rights or obligations in contractual, public law or other matters. 

11. Data protection office

We have considered whether GDPR requires our company to have a data protection officer. 

We have no or very few natural persons as customers. We do not engage in regular and systematic monitoring of data subjects on a large scale. For most categories of data subjects, we process ordinary personal data such as names, address, employer, email address, telephone number, etc. We process some sensitive data about employees. 

We have concluded that our company is not required to have a data protection officer. 

12. General risk assessment

We will conduct a risk assessment of the processing of personal data. This assessment shall enable us to identify and define the security measures to be implemented. 

The assessments shall relate to the likelihood and severity (risk) to the “rights and freedoms” of individuals, such as physical harm, damage to property or assets and medical harm. Examples of harm include discrimination, identity theft, reputational damage, loss of social esteem, disclosure of confidential information to unauthorized persons and unacceptable invasion of privacy. 

The survey form shows that we: 

  • largely process only general contact information, such as name, address, employer, email address, telephone number, etc. 
  • process information about employees that is commonly used to administer personnel matters, including compliance with statutory obligations 
  • has few or no private customers 
  • does not process data about children 
  • process data that is part of running a normal business activity 

We have never been the victim of a data breach. Nor are we aware of any outsiders showing an interest in the personal data we process. We therefore believe that it is unlikely that the data has been subject to a breach. 

Based on the nature and scope of the data we process, we believe that the consequences of a breach will not be serious. 

When it comes to some of the information about employees, the likelihood and seriousness of a breach of the rules is much greater. We therefore have separate procedures for processing such data, including limiting access to it. 

We shall risk assess changes that may affect information security, for example when we purchase new IT services. The results of risk assessments must be approved by those who have overall and day-to-day processing responsibility in the company. 

13. Information security

We are required by law to take appropriate technical and organizational measures to achieve a level of security that corresponds to the risk associated with our processing of personal data. We must take into account the state of the art, the implementation costs and the nature, scope and purpose of the processing, as well as the context in which it is carried out. 

Our risks have been assessed overall in the section above. 

On this basis, we have implemented these measures: 

  • A group consisting of people from HR, quality and logistics/IT has been appointed with particular responsibility for ensuring that information security is safeguarded. Overall responsibility lies with the HR director, while operational responsibility lies with IT technical operations. 
  • Unauthorized persons are prevented from accessing personal data or the equipment on which it is stored. Employee data is stored in a closed area that can only be accessed by HR, the payroll manager and the CEO. 
  • It is ensured that the company’s network is protected against intrusion from external networks with a firewall that only lets through necessary data traffic. 
  • It is ensured that the company’s network is protected against unauthorized use, for example by securing the wireless network. 
  • Extra measures have been taken for information that is particularly worthy of protection, such as sick leave, information about workplace adaptation, employee assessments, notes and warnings. 
  • Employees are trained in the use of the company’s IT system and the restrictions that apply. 

14. Deviations, analysis of deviations and measures to rectify them

We must continuously assess new systems and procedures against whether the processing of personal data complies with the rules in the Personal Data Act and the procedures in this document. If this is not the case, we must determine how we can increase compliance. We must document in writing both the deviations we have found and what we have done to correct them. 

In the survey form, we note which nonconformities we may have, what measures need to be taken and whether they have been taken. Anyone who discovers nonconformities must initiate measures if necessary to limit or prevent significant inconvenience or consequential damage. Non-conformities are reported to the HR Director, who is responsible for the day-to-day follow-up of the regulations. Upon receipt of a report, the first step is to assess whether immediate measures are required. The person in question must then ensure that measures are implemented to prevent deviations from occurring again. 

15. Purchase of IT services – data processing agreements

We will usually act as data controller when we as a company purchase IT services from a service provider. We are then still responsible for ensuring compliance with data protection legislation when purchasing IT services, such as HR solutions or customer databases. 

Before purchasing IT services, we must assess whether the supplier meets the security requirements of the Personal Data Act. Reputable suppliers will often be able to document that they meet the requirements. We must also ensure that we enter into a data processing agreement that regulates how the data processor will handle the personal data it receives from and processes on our behalf. Suppliers will often have their own agreements that meet the requirements of the regulations, but if the supplier does not have its own agreements, we as a customer must describe our requirements to the supplier in an agreement and ensure that they undertake to comply with data protection legislation on our behalf. 

If the service provider is to transfer personal data to countries outside the EU/EEA, there must be a legal basis for this. 

16. Breach of personal data security

In the event of a personal data security breach (such as a hacker attack or loss of personal data), we shall immediately contact the Danish Data Protection Agency to determine what action we should take. 

“Personal data security breach” means a breach that leads to the accidental or unlawful destruction, loss, alteration, unlawful disclosure of, or access to, personal data that we process. 

In the event of certain breaches of personal data security, we shall notify the Norwegian Data Protection Authority and sometimes also the data subject. Notification to the Danish Data Protection Agency must be made immediately, and no later than 72 hours after we became aware of the breach. It is not necessary to notify the Norwegian Data Protection Authority if it is unlikely that the breach of personal data security will result in a risk to the rights of individuals. An example is where a security breach has led to unauthorized persons gaining access to personal data that is already publicly available. 

We have a duty to notify the data subject if it is likely that the breach of personal data security will result in a high risk to the rights and freedoms of individuals. We believe that our processing of personal data can only in exceptional cases lead to such a risk. 

We must document any breaches of personal data security. We do this by describing the actual circumstances surrounding the breach (“What has happened?”). In addition, we must describe the effects of the breach and the measures taken to remedy the breach. This documentation will enable the Norwegian Data Protection Authority to verify that the company has complied with the requirements of the Act. 

17. Privacy impact assessment and prior consultation with the Data Protection Authority

We shall carry out a data protection impact assessment when we plan to process personal data that is likely to result in a high risk to the rights of individuals, such as the right to privacy. In assessing whether such an assessment is necessary, we shall take into account the nature, scope, context and purpose of the processing. It should also take into account whether it uses new technology. 

There are several types of cases where a privacy impact assessment is required: Systematic and extensive assessment of personal circumstances when the data is used for automated decision-making, processing of sensitive personal data on a large scale or systematic monitoring of public areas on a large scale. 

In the above cases, we will familiarize ourselves with the special rules that apply, including the fact that the Data Protection Authority must sometimes be involved in preliminary discussions. 

18. Navigation information

Information cookies (cookies) 

We use cookies and similar technologies in our digital channels. Cookies help us to determine which parts of our digital channels are most popular, including which pages users visit and for how long. The information is used, for example, to develop and analyze services and target ads on the internet. 

What are cookies? 

A cookie is a small text file stored on the user’s device when they visit a digital channel, such as a website. Cookies are used, for example, to store login details or remember information from one page view to another. 

Cookies can be useful for both the owner and user of a digital channel. For example, the owner can customize the service based on the information stored. For the user, for example, visits to the digital channel can be perceived as more customized and user-friendly. 

You can choose not to allow the use of cookies, but our digital channels will not function optimally if cookies are not allowed. Most browsers allow you to change the settings so that the browser does not enable the use of cookies. Most browsers also allow you to delete cookies that are already stored on your device. How you enable, disable, and delete cookies varies from browser to browser, and you can find information about this on the provider’s website or under “Help” in the browser. 

What are cookies used for in our digital channels? 

We typically use the information collected using cookies for the following purposes: 

  • Functional cookies and service provision: Cookies are important for the operation of our digital channels, and they facilitate a good user experience. 
  • Service development: Cookies help us to monitor the use of our digital channels so that we can improve them. For example, we receive information about which pages are most popular, which links people come from or follow, and how long users stay on our websites. 
  • Usage analytics: We use cookies to collect statistical information about the number of visitors to our digital channels and to evaluate the effect of advertising. We may collect information from, for example, marketing material and newsletters sent by email to determine whether the messages were opened and whether users clicked on links to our website in the message. 

The following systems may place cookies on your device when you use our digital channels: 

  •  Google Analytics: web statistics. Used to track users across multiple page views for web analysis. 
  • Google AdWords: conversion tracking and remarketing. Used to a) measure conversions and b) display targeted ads based on content you have viewed in our digital channels. 
  • Facebook: social buttons, conversion tracking, and retargeting. Used to a) display social buttons in digital channels, b) measure conversions, and c) display targeted ads based on content you have read in our channels. 
  • LinkedIn: social buttons. Used to display social buttons in digital channels. 

We may combine information from cookies with other information we have recorded about you and your customer relationship when allowed by applicable law or in accordance with your consent. By using our digital channels with a browser that allows cookies to be stored on the device, you consent to our use of cookies. Our websites may contain links to third-party websites, products, and services, including social media (e.g., Facebook’s social plugins). Third-party services or third-party applications available on our websites are subject to the third party’s privacy statement. We encourage you to become familiar with the privacy practices of these third parties. 

Log Files 

Information about your device specifications, software, and your visit is automatically collected by us. This information may include your IP address, browser type, domain name, internet service provider, files viewed (HTML pages, graphics, etc.), operating system, access time, and how you arrived at our digital channels. 

Tracking Pixels (e.g., Clear gifs, web beacons, web bugs) 

We use tracking pixels (also called clear gifs, web beacons, web bugs), which help us improve our digital channels by telling us which content is being displayed. Tracking pixels are small graphic elements with a unique identifier, similar to the function of cookies, and are used to track user behavior online. Unlike cookies stored on the user’s hard drive, tracking pixels are invisibly embedded in our digital channels or in emails. This allows us to measure the effectiveness of our marketing. We link the information we collect from emails to the customer’s personal information. 

19. Control, Update, and Revision of the Document

We will regularly update and revise this document. This is because rules in law and regulations may change, our processing of personal information may change, or experience may suggest that we should change our procedures. For the same reasons, we will also regularly review and update the forms with mapping of the processing of personal information. 

The Chief Executive Officer is responsible for identifying and incorporating the need for changes and revisions in the document and in the forms. This should be done annually. 

The evaluation should include questions such as: 

  • Have we, since the last revision, changed (new, modified, or terminated) the processing of personal information not covered in the document or in the forms? 
  • Do the six basic requirements for processing personal information suggest we should change procedures or practices? 
  • Have new rules in law or regulations come into force since the last revision, suggesting changes? 
  • Has the business identified areas for improvement in the document or forms since the last revision? 
  • Has new technology emerged that allows personal information to be better secured? 

20. Contact Information for Privacy

Dokka Fasteners does not have a dedicated privacy officer. If you believe that we are processing personal information in violation of the law, you can file a complaint with the Norwegian Data Protection Authority (post@datatilsynet.no). The contact person in the company will be the Chief Executive Officer or HR Director. 

  

Last revision: 24.01.2019