GDPR privacy notice
Processing of personal data in Moelven Industrier ASA
Moelven will process personal data as part of our business. We are committed to processing personal data safely, reassuringly, and trustworthy.
Our processing as the controller of personal data is based on our activities and the purpose of our business. Below is information about the personal data we process about you, the legal basis for the processing, the purpose of the processing, how long we process the personal data, etc.
We may also process personal data in other ways, as mentioned below, but we will inform you of the personal data that applies in ways other than through this notice.
We process personal data both in Moelven Industrier ASA and in companies within the Moelven Group, i.e., subsidiaries directly or indirectly owned by Moelven Industrier ASA. Although the individual companies will be the data controllers for the processing of personal data related to their respective entities, Moelven Industrier ASA can always be contacted regarding the processing of personal data in our subsidiaries. Please see the contact information below.
If you have questions about the processing of your personal data, you can contact us, see our contact details below.
1. Responsible for the processing of personal data
The individual company that processes personal data in the Moelven group of companies is responsible for processing the personal data described here, i.e., decides why and how the personal data is processed (the data controller).
Contact details on us as data controller:
Moelven Industrier ASA
Address: Industrivegen 2, 2390 Moelv
Postal address: Postboks 134, 2391 Moelv
Email: post@moelven.com
Phone: +47 62 34 70 00
Entity reg. no.: 914 348 803
2. Why and what kind of personal data do we collect and use
We collect and use your personal data for different purposes depending on who you are and how we contact you.
All processing of personal data will be in accordance with this Privacy Notice and the privacy regulations in force at any given time, including the local privacy regulation and the General Data Protection Regulation (GDPR).
Personal data is any information about a physical person that can be identified directly or indirectly (the latter are called “data subjects”).
Processing personal data is any activity performed with personal data, for example, collection, recording, organising, structuring, storing, adapting, altering, transmitting, or deleting.
Below are the processing activities we carry out as the data controller in our business.
2.1 Communication and contact
We process personal data about those who contact us to answer and document the communication and contact others not covered by the processing elsewhere in the Privacy Notice, which applies to all forms of communication, physical and digital, written and oral.
In such cases, we process the name, telephone number, email address and any personal data that may result from the communication, including history/logs about the inquiry.
The processing is based on what we consider a necessary legitimate interest related to the above (see GDPR Article 6(1)(f). Our legitimate interest is to contact others as part of our business, document our business, reply to those who contact us, and register such contacts. We have assessed that this is necessary to handle inquiries we receive and that the data subjects’ privacy does not override these interests.
Providing us with personal data is voluntary, but it will be necessary to answer inquiries.
We process the personal data until we expect that the contract will not be further followed up.
2.2 Email and other business solutions
We use email as a communication solution and other business solutions, such as document storage, cooperation solutions, etc., that will contain personal data. The processing is based on that we consider having a necessary legitimate interest in processing personal data via email (see GDPR Article 6(1)(f) to have a work tool and communication solution and that the data subjects’ privacy does not override over these interests. Personal data processing depends on the purpose of the email and what is included in it. Emails and other information are deleted when no longer needed, and we have measures to ensure regular deletion.
2.3 Information and Marketing
If you request information or subscribe to our newsletter, we will send information about our products and services, benefits from partners, newsletters, and other information and marketing. We will then process your contact details and any information you provide in this context.
We process personal data to inform you about services and products that may interest you based on your consent (GDPR Article 6(1)(a). You can withdraw your consent at any time by using any unsubscribe options in the communications you receive or by contacting us to opt out of direct marketing and/or profiling under GDPR Article 21(2).
We only process personal data, such as the email address and name, to send the newsletter, making the inquiry more personal and ensuring the communication reaches the right person. The email address is not used for other purposes other than sending the newsletter.
The processing will continue until you have received the requested information or withdrawn your consent. Thereafter, your personal data will be deleted.
2.4 Information on services
We may also send out information about our services and products that do not contain marketing. This will be done regardless of whether you have consented. Personal data will then be processed on the basis that we either fulfil a contract with you as an existing customer (GDPR Article 6(1)(b) or based on our legitimate interest in informing our users and contacts about our services (GDPR Article 6(1)(f). Alternatively, we may process the information based on your consent (GDPR Article 6(1)(a). The purpose of the processing is then to keep you updated about products and services you receive and follow up on purchases of products or services. The processing of personal data will occur as long as you receive our services.
2.5 Business customers, suppliers, partners, etc.
We process personal data about contact persons of existing and potential business customers, suppliers, and other partners to manage our relationship with suppliers and others, prepare, implement, and document services and evaluate the use of services. In these cases, we will process names, contact information, company names and information related to the contact with the company in which the person in question works.
The processing of personal data is based on the necessary processing and legitimate interest in managing our relationships with our customers, partners, and suppliers.
The processing of personal data is based on what we consider a necessary legitimate interest (GDPR Article 6(1)(f) to manage the relationship with our customers, partners, and suppliers, and the data subject’s privacy does not override our interest.
We also store and disclose information where we have a legal obligation, for example, under accounting and tax legislation.
We may store information for as long as necessary to document services-related matters.
In many cases, we will need to obtain personal data to enter into agreements with customers and suppliers and, among other things, to document that an agreement has been entered into. We cannot enter into agreements if we do not receive the information we need.
It is voluntary for contact persons to provide us with personal data. If we collect personal data from others, it will mainly apply to contact information (including name, address, telephone number and email address), position, function, employer, and any competence and references where relevant. The source for such information will be the contact person, employer, or something else, such as the employer’s website.
We store personal data until the relationship with the customer, supplier, or partner ceases or until the contact person ceases to be the contact person, with the abovementioned exceptions.
2.6 Recruitment
CVs, applications, certificates, and references are processed when recruiting for new positions with us. If the processing takes place through a recruitment solution or on the basis that it is necessary and within our legitimate interest to recruit new employees, the processing in this solution may be based on the consent that you have given or on fulfilling an agreement with the solution provider which you have agreed to when registering in the solution
We may use recruitment services to manage applications, which will be our data processor. If you register with the job search service with your profile, the service will be a data controller responsible for processing, and reference is made to its privacy notice about the processing of personal data in the service. The processing of personal data is based on your consent in the recruitment service (GDPR Article 6(1)(a), obtained or the basis set forth below.
The basis for processing personal data when recruiting is that it is necessary to assess potential job seekers before entering into an employment agreement (GDPR Article 6(1)(b).
If assessments are made in this regard, such as contacting persons who are not listed as a reference, examining when searching for background, etc., personal data is processed based on our necessary legitimate interest in ensuring that the correct candidate for the position (GDPR Article 6(1)(f). For the latter, we have considered that the individual data subject’s privacy does not override our legitimate interest in recruiting new employees. We recommend that you not enter special categories of personal data, such as health, religion, political opinion, union membership, etc., in your application.
If we process special categories of personal data, we will do so based on your consent (GDPR Article 9(2)(a)). Consent can be withdrawn at any time, which will not affect the lawfulness of processing personal data before the consent was withdrawn.
If you have not agreed to further storage, information on the service will be deleted as soon as recruitment is done.
2.7 Images and film
Images and film may be recorded and used as part of our business. This can include use on websites, in marketing materials, etc. To the extent that images/films are made public, i.e., accessible to multiple persons, consent will be requested for such disclosure if the individuals in question constitute the main subject under Section 104 of the Norwegian Copyright Act (åndsverksloven). If the individuals depicted/filmed are not the primary focus, such as situational photos, images of an audience, etc., no consent will be obtained.
The processing of personal data related to images/films will be based on our legitimate interest in using images/film to show and market our activities (GDPR Article 6(1)(f)), as we consider that this interest outweighs any potential consequences for those depicted. We will only use images and film where it is clear to those depicted that recordings are taking place.
Personal data related to images and films will be processed for as long as necessary to use them. This duration will depend on the purpose of the images/films and may vary accordingly. We will review images/films regularly to determine whether individual videos/films should be deleted or retained.
2.8 Events etc.
For event participants, contact information will be registered and processed, along with which event the person in question is to attend, so that the person in question can identify as registered and the necessary communication can be carried out.
For event participants, contact information will be registered and processed, as well as the event the person attended, so that the person can be identified as a participant and necessary communication and possible invoicing of participation fee can be carried out. Processing of personal data will be based on fulfilling an agreement with the participant (GDPR Article 6(1)(b) or if the participants represent a company on the basis that we have assessed that we have a necessary legitimate interest (GDPR Article 6(1)(f) by holding events as part of activities. In the latter case, we have considered that our legitimate interest overrides the data subject’s privacy.
If food and/or drinks are served, we may obtain information about food preferences, which can show health and/or religion. This information will only be processed to serve food and/or drinks and deleted immediately after the event. In such cases, the personal data will be processed based on consent.
2.9 Security and Camera Surveillance
We may process personal data through camera surveillance to comply with Health, Safety, and Environmental (HSE) standards in connection with our legitimate, necessary interests and to protect our employees, customers, properties, and equipment.
Information about the surveillance will be provided at the locations where it occurs. Recordings from camera surveillance will be deleted within seven days unless it is likely that they will be handed over to the police. In the latter case, the recordings will be deleted after 30 days unless otherwise required for legal purposes.
We also process personal data from visitors to our premises and other facilities by registering them in a visitor system. When this is the case, visitors will be informed via posted notices.
Logs from access control systems are deleted within 90 days.
2.10 Social media
We have contact with stakeholders and others through social media. We have established a Facebook page, where we are responsible for processing personal data in this connection with Facebook. Personal data will be processed through the Facebook page if you publish posts on the page, comment on posts, or «like»/follow the page. Our purpose for processing personal data through Facebook is to have contact with you who wish to communicate with us or interact on our Facebook page in other ways, see also about communication under Section 2.2 above.
In this context, your name and link to other information you posted associated with your name/account on Facebook are processed. In addition, everything you share through posts and comments on our Facebook page and the fact that you have “liked”/followed our website is processed. What you share on the Facebook page is up to you and voluntary.
We ask you not to share personal data in posts or comments on the website, especially not to share personal data about others, e.g. by «tagging» or mentioning people.
We process personal data on social media, such as Facebook, because we believe we have a legitimate interest in communicating with the outside world through social media and want to process personal data in this context (GDPR Article 6(1)(f)). We have considered it so that we must communicate with the outside world and handle inquiries we receive and that the data subject’s privacy does not come before these interests.
The data will be processed as long as postings/comments are available on social media, and you can delete this at any time.
2.11 Use of websites, cookies etc.
On our website, we use solutions to collect and process information, such as cookies and similar technologies. The information collected may include your associated IP address, the type of browser you use, your operating system, and the date and time of visits to the website.
The information is used, among other things, to analyze trends so that we can make the website and services more user-friendly, to collect data that enhances the customer experience on the website and services by tailoring content, and to provide functionality on the website. This is based both on visitor behavior - for example, based on the services used, links clicked, or information read - and on the behavior of other users with similar usage patterns.
Additionally, the information is used to provide personalized marketing on our website, in advertising networks, and on social media. As far as practically possible, we strive to do this with anonymous data, without linking the information specifically to individual visitors.
We use cookies and similar technologies based on your consent, which you can provide when you first visit our website. This consent allows us to use such technologies to store or gain access to information on users' devices, except in cases where the use of such technology is strictly necessary, as stated in the Norwegian Electronic Communications Act § 3-15.
Personal data collected through the use of cookies that are strictly necessary for the website to function, as well as other functional cookies, statistical analysis, and website customization, will be processed based on our legitimate interest (GDPR Article 6(1)(f)), unless consent is required, in which case processing will be based on consent (GDPR Article 6(1)(a)), as outlined below. We have assessed that our interest in processing personal data outweighs the individual user's privacy concerns. However, we safeguard visitors' privacy by using the data solely for statistical purposes. In this statistical analysis, it is not possible to identify individual users. The data will be stored as long as necessary for the purposes mentioned above.
For personal data we collect and process for website personalization, depending on the type of data collected, and for marketing and analytics purposes - including transfers to partners and other third parties such as advertising networks and social media - processing and transfers are based on your consent (GDPR Article 6(1)(a)).
Information about which cookies we use on our website, how long they collect data, and who the data is transferred to can be found on this page, where you can also change your cookie preferences and withdraw your consent.
3. Processing based on consent
If we process personal data based on your consent (see above), you can withdraw your consent at any time without affecting the lawfulness of processing before its withdrawal. Contact us if you want to withdraw your consent. Note that if you withdraw your consent, it may still be possible for us to continue processing all or part of the information if there is another basis for the processing.
4. Retention and deletion of personal data
We keep and store personal data for as long as necessary for the purpose for which it was collected and delete it under regulations. The length of time we process the individual data types is included above under the specification of the different processes.
When we delete the information included above where the individual processes are discussed, or else the storage period is based on the following criteria:
Whether we have a legal or contractual need to retain the information, as there may be claims directed against us
Whether the information is necessary for our business
Where the basis of processing is consent, when consent is withdrawn.
When we no longer have an ongoing legitimate need to process your personal data, it will be deleted or anonymised as quickly as possible in accordance with applicable law.
Instead of deleting the personal data, it may be relevant to anonymise it in some cases. Anonymisation removes all data that may identify or potentially identify data subjects (individual persons) from data sets.
This means, for example, that personal data that we process based on your consent will be deleted if you withdraw your consent. Personal data that we process in connection with sales or purchase agreements you have with us is deleted when the agreement is fulfilled. All obligations arising from the contractual relationship are fulfilled, such as legal obligations related to accounting, follow-up of customer-related complaints, etc. Personal data related to our fulfilment of legal obligations is deleted as soon as the legal obligations have been fulfilled, such as the obligation to keep accounts.
5. Disclosure or transfer of personal data
We do not disclose or transfer personal data to others in cases other than those mentioned in this notice unless there is a legal basis for such disclosure/transfer. Examples of such a basis will typically be an agreement with or consent from the data subject or a legal basis that requires us to publish the information. The latter applies to public activities such as tax collection (if necessary), accounting/auditing, and other things we need in our business, such as a bank connection.
We use data processors to process personal data on our behalf. In such cases, we have entered into data processing agreements with the data processors to safeguard your rights and security for your personal data at all stages of the processing.
If it is required by law or there is a suspicion that a crime has been committed in connection with our services, personal data may be disclosed to public authorities, such as the police, in case of an investigation.
If personal data may be subject to transfer to another organisation in connection with a merger, financing, reorganisation or dissolution transaction of all or part of us, we will only do so if the parties involved have entered into an agreement where the collection, use and sharing of personal data is limited to the purposes of the transaction, including a provision as to whether or not the transaction will proceed, and the personal data shall only be used by the parties involved to complete and complete the transaction. If another company buys our business or assets, this company will have access to the personal data we collect and will assume the rights and obligations regarding your personal data as described in this privacy notice.
6. Transfer of personal data to recipients in countries outside the EEA
It is an objective that all processing of personal data shall be carried out within the EEA, but we may use suppliers or process personal data outside the EEA. In such cases, transfer and processing outside the EEA will take place in countries approved by the EU Commission or under a valid legal basis for the transfer of personal data under GDPR Chapter V. If transfer to countries approved by the EU Commission does not take place, the transfer will only take place after guarantees set out in GDPR Article 46(2). You can get information on the lawful basis used for the transfer if you contact us.
7. Links to third parties/other websites
Our website may contain links to other websites or third parties offering products or services and sites not under our control. These links are provided only as an opportunity for users to obtain more information. Websites not part of ours, i.e., not under the addresses moelven.com, will process personal data as the data controller and may have separate and independent privacy notices. We have no responsibility for the content and activities of these websites.
8. Security of processing
We prioritise the security of personal data in our business and will implement all required technical and organisational measures to secure your personal data. If possible, all processing will be encrypted and unavailable to anyone other than those needing personal data to perform their tasks (“need-to-know”).
We ensure that personal data is correct, accessible, and handled according to its degree of sensitivity. We also use various security technologies and information security procedures to protect your personal data from unauthorised access, use, or disclosure. Where necessary, risk assessments are carried out.
We have entered into data processor agreements with all our suppliers who process personal data, where they assume the same degree of security as we ensure in processing personal data.
We restrict access to personal data to the staff or third parties who process the personal data on our behalf. These parties are subject to a duty of confidentiality.
Routines have been established for handling breaches of information security and routines, and we will, if there are breaches that pose a risk to personal data, notify the supervisory authority (Datatilsynet) as soon as possible and no later than 72 hours after the breach is discovered. If the breach entails a high probability of the privacy of the data subjects affected by the breach, they will also be notified.
9. Your rights when we process personal data about you
Below is a description of your rights when we process your personal data. To exercise your rights, you must contact us, see contact information above, or otherwise, if it follows below.
We strive to respond to your inquiry as soon as possible and within one month. If it takes longer than one month, you will be notified.
In some cases, we will request you to confirm your identity or provide additional information before you can exercise your rights to make sure that we only give access to your personal data to you - and not someone who pretends to be you.
9.1 Information
You have the right to information about the personal data we process about you. This policy provides information on the processing of personal data. You can also contact us if you want more information.
If we have disclosed information to others, we are obliged to inform the recipient of any requests for correction or deletion of personal data, see section 9.3 below, or restrictions on processing, see section 9.5 below, unless such notification is impossible or requires a disproportionately large effort. We are also obliged to inform you about such disclosure if you request it.
9.2 Access to Your Personal Data
You have the right to request access to the personal data we processed about you. Contact us if you want such access.
If you request it, you will also receive a copy of the personal data we process about you. We may ask you to specify which data you wish to receive a copy of to make the release easier for us. Upon providing a copy of your personal data, we may require you to identify yourself to ensure we do not disclose personal data to unauthorised persons. The information about you will be sent in digital form unless you request it to be transferred in another manner.
9.3 Correction and deletion
You can ask us to correct or delete personal data. We will, as far as possible, accommodate a request to delete personal data, but we cannot do this if the data is necessary for us.
9.4 Processing based on your consent
If we process personal data based on your consent, you can withdraw the consent at any time. The easiest way to withdraw your consent is as informed to you when you give your consent or to contact us.
9.5 Right to protest or restrict the processing
You have the right to have your processing restricted or stopped in certain cases, see further in GDPR Article 21.
Where our processing is based on legitimate interests, you can object to processing your personal data. If you object, we shall cease the relevant processing unless there are compelling legitimate grounds for continuing the processing.
You may also object to processing personal data concerning you for marketing purposes, including profiling, to the extent that it is related to such direct marketing, as per GDPR Article 22(2).
9.6 The right to data portability
For personal data that you have provided to us, which is necessary to carry out an agreement with us, and which is processed automatically (i.e. not manually by us), you can request that the personal data be disclosed or transferred to another provider in a structured, commonly used and machine-readable format (data portability).
9.7 Automated processing, including profiling
There will be no automated processing, including profiling, based on your personal data that may have legal effects or significantly affect those to whom personal data applies. See GDPR Article 22(1) and (4).
9.8 Right to be notified
If a data breach occurs, i.e., a breach of personal data security that would pose a high risk to your privacy, we will notify you without undue delay.
10. Complaints
We use the Norwegian Supervisory Authority (Datatilsynet) as the leading supervisory authority for cross-border processing under GDPR Article 56.
If you suspect that our processing of personal data is not in accordance with what we have described here or that we, in other ways, violate the privacy legislation. In that case, you can complain to the Norwegian Data Protection Authority. However, we ask you to contact us so we can correct the matter immediately.
You will find information about your rights and how to contact the Norwegian Data Protection Authority on the website: www.datatilsynet.no.
11. Amendments
Should our services or regulations on processing personal data change, the information you have provided here may be changed. If we have your contact information, we will inform you of these changes. The updated privacy notice is readily available on our website.