Original Approval Date: 18 June, 2020
Original Effective Date: 18 June, 2020
Approved by: Board of Directors
Policy Owner: Legal & Compliance Director
Policy Contact: Legal & Compliance Director
2 Personal data
Personal data means any information relating to an identified or identifiable natural person (a “data subject“). Your name, phone number, address and e-mail address are examples of information which is generally regarded as personal data.
3 ZTL’s responsibility as a controller
Our processing of your personal data is described in Section 4 below. We will act as a controller when we process this personal data.
- We process personal data about customer employees, representatives, beneficial owners and close associates of these, in order to administer and fulfill the agreements we have entered into with our customers and our regulatory obligations. Such personal data includes the data subject’s name, social security number, telephone number, email, address, copy of the data subject’s ID, account details etc.
We may, depending on the circumstances, also process other categories of personal data, and/or the above listed personal data for other purposes. This may for example be the case if you contact us with questions or comments. You may at any time request confirmation and/or information regarding the personal data which we process about you, by contacting us as described below.
4.2 The sources we obtain personal data from
We collect the personal data described in Section 4.1 above from the following sources:
5 Our legal basis for processing personal data
We will rely on the following legal bases for our processing of the above described personal data:
5.1 Entering into and administration of service and product agreements (performance of a contract or legitimate interest where the data subject is not the customer)
The main purpose of our processing of personal data is to collect, verify, and process personal data prior to entering into a contract with our customers as well as documenting, administering and completing tasks for the performance of contracts.
Examples of the performance of a contract:
5.2 Fulfilment of requirements and obligations for us stated in laws, regulations or decisions from authorities and supervisors (legal obligation)
In addition to the performance of contract, processing of personal data also takes place for us to fulfil our obligations under law, other regulations or authority decisions.
Examples of processing due to legal obligations:
6 Do we transfer or disclose data to third parties?
We use external service providers to assist with IT services and other administrative services, as well as accounting systems (ERP systems). These service providers will act as processors on our behalf. We have entered into data processing agreements with our processors which contain obligations for the data processor to implement technical and organizational measures to ensure an appropriate level of security, confidentiality and integrity for the personal data, as well as to only process the relevant personal data in accordance with the data protection legislation and our instructions.
We will not disclose your personal data to any other third parties than the third parties described above, unless we are required to do so under applicable law, or if it is necessary in order to establish, exercise or defend legal claims.
7 Data retention
We will keep your data for as long as they are needed for the purposes for which your data was collected and processed or required by laws and regulations.
This means that we keep your data for as long as necessary for the performance of a contract and as required by retention requirements in laws and regulations. Where we keep your data for other purposes than those of the performance of a contract, such as for anti-money laundering and bookkeeping requirements, we keep the data only if necessary and/or mandated by laws and regulations for the respective purpose.
Under the data protection legislation, you have certain rights we need to make you aware of. You have the following rights in connection with our processing of your personal data:
- You may contact us if you want to obtain confirmation with respect to whether or not we are processing your personal data, as well as access to and further information regarding our processing of your personal data. You may also request a copy of the personal data we are processing about you.
- You may request us to rectify and/or complete inaccurate or incomplete personal data.
- You may request that we delete your personal data. We will respect and comply with your request insofar as there are no other legal obligations or overriding legitimate interests requiring further retention, or the personal data is necessary for the establishment, exercise or defense of legal claims.
- You may also request the restriction of our processing of your personal data in accordance with data protection legislation. If the processing has been restricted, such personal data will, with the exception of storage, only be processed with your consent, for the exercise or defense of legal claims, the protection of the rights of another person, or for reasons of important public interest.
- You are entitled to object to certain processing activities, including for example processing of your personal data for marketing purposes. You are furthermore, on grounds relating to your particular situation (for example, a specific need for protection of your identity), entitled to object to processing of personal data based on legitimate interests, which we will comply with, unless there exists compelling legitimate grounds for our processing which override your interest, or if our processing is necessary for the establishment, exercise or defense of legal claims.
- If we process your personal data based on consent or based on our performance of a contract, and the processing is carried out by automated means, you may request us to transfer the personal data to you or another controller, in a structured, commonly used and machine-readable format.
Certain limitations exist in the rights provided by the data protection legislation and the rights available to you will depend on the particular circumstances of the processing. You can find more information on this topic on Norwegian Data Protection Authority’s website, which is linked below.
Please contact us as described below if you wish to invoke your rights. Please also note that we may request additional information from you, if such information is necessary to confirm your identity.
As a controller, ZTL is responsible for the security and confidentiality of the personal data we process. Keeping your personal data safe and secure is at the centre of how we do business. We use appropriate technical, organizational and administrative security measures to protect any information we hold from loss, misuse, and unauthorized access, disclosure, alteration and destruction.
10 Lodging complaints – The Norwegian Data Protection Authority and other supervisory authorities
You may contact us at any time if you have any questions or complaints regarding our processing of your personal data. You may also file a complaint to the Norwegian Data Protection Authority, or a data protection authority in the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged data protection infringement. The Norwegian Data Protection Authority is responsible for supervising Norwegian organizations’ processing of personal data.
You can obtain the contact details of the Norwegian Data Protection Authority on the following website: http://www.datatilsynet.no. You will also find more information on your rights and the data protection legislation on this website.
12 Contact information
ZTL has designated a data protection officer (DPO) (Nw: personvernombud) to advise and monitor our compliance with the data protection legislation. The DPO is the Legal & Compliance Director of ZTL. The contact information for our DPO is the same as below.
ZTL Payment Solution AS
Kristian IVs gate 15, 0164 Oslo
Ph: + 47 400 00 858