Bjørnson privacy and data protection notice
The protection of privacy and responsible management of personal data, are of great significance to Bjørnson. To comply with current privacy and data protection laws, we have updated our routines for processing personal data.This privacy and data protection notice describes how Bjørnson gathers and uses personal data. This aims to provide you with information on how we process personal data.
2 Brief description of Bjørnson’s services
Bjørnson delivers expert consultancy within the areas of leadership and organisational psychology and development. Our core services include assessment and development of organisations, leaders, teams and organisational climate, as well as conflict management. We deliver also clinical assessments and counselling, which are defined as psychological health services. A much more thorough description of our offerings and service portfolio is provided at Bjørnson's website. In order to conduct our engagements, it is necessary to process personal data.
3 Bjørnson’s responsibility for processing personal data
Bjørnson is initially the data controller responsible for any personal data we process in connection with the operation of Bjørnson, and while conducting assignments for our customers. Personal data can be linked to own employees, job candidates, board members, shareholders, individual points of contact at customers and suppliers, private clients and potential clients, etc.
Bjørnson’s general manager, as senior data controller, has overall responsibility for Bjørnson's processing of personal data. The instances where the daily data controlling responsibility is delegated, are indicated under each item in this data protection and privacy notice. Only actual daily data processing tasks are delegated, not the data controller responsibility.
The client is to be regarded as data controller and Bjørnson as data processor when the assignment is clearly defined, and the client has stipulated a clear and limited purpose for how Bjørnson shall proceed. Bjørnson is also to be considered as a data processor when Bjørnson conducts data processing of personal data on behalf of clients. In those instances where Bjørnson is regarded as data processor for the client, a data processing agreement is entered into whereby it is stipulated how Bjørnson shall process personal data. Bjørnson enters into data processing agreements and sub-processor agreements (3rd party) with data processing companies engaged by Bjørnson to process the personal data of data subjects remaining the data controller. Both parties shall establish a binding agreement whereby it is stipulated that the processing of personal data shall be conducted in accordance with privacy legislation.
5 Knowledge on personal data, privacy and data protection rules
||SAs defined in the GDPR Article 4. Any information or assessment that may be associated with an identified or identifiable natural person (the data subject).
|Sensitive personal data:
||As defined in the GDPR Articles 4 and 9. Personal data relating to health, ethnic origin, union membership, sexual orientation, political or religious convictions.
|Data processing protocol:
||BProcessing protocol describes how personal data is processed in accordance with different categories of data subjects.
||As defined in GDPR Article 4. Each operation or range of operations conducted with personal data, whether automated or not, for example, collection, registration, organisation, structure, storage, adaptation or modification, retrieval, consultation, use, delivery by transmission, dissemination or other forms of disclosure, assembly or collocation, restriction, erasure or destruction.
||As defined in GDPR article 4. Physical or legal person, or any other entity that alone or in combination with others determines the purpose of processing personal data and the means used to process said data.
||As defined in the GDPR article 4. Physical or legal person, or any other entity that processes personal data on behalf of the data controller.
||As defined in GDPR article 4. Physical or legal person, or any other entity to which personal data is disclosed, whether they are a third party or not.
||As defined in the GDPR article 4. Any other natural or legal person, public authority or any entity other than the data subject, the data controller, the data processor and the persons authorised by the data controller, and who have the data controller's direct authority to process personal data.
|The data subject:
||As defined in GDPR Article 4. The person to whom the personal data may be attached.
||Consent by the data subject entails the voluntary, specific, informed and unambiguous will of the data subject, whereby he or she agrees to the processing of personal data pertaining to him/her.
|Data Protection Authority:
||An independent public authority established by a Member State in accordance with Article 51 of the General Privacy Regulation and responsible for monitoring compliance with privacy laws. In Norway the Data Protection Authority is Datatilsynet.
||Any structured collection of personal data that is available according to specific criteria.
|Other relevant legislation, with abbreviations:
||In addition to the Personal Data Act, the following acts are of significance to Bjørnson's processing of personal data: The Health Professionals Act; the Act on Archives - Act on Personal Health Data Filing Systems and the Processing of Personal Health Data (Personal Health Data Filing System Act); the Act on Marketing Control and Contractual Terms (Act relating to the control of marketing and contract terms and conditions); Act on Electronic Communications; and Work Environment Act (Working Environment Act).
Bjørnson shall ensure that employees and hired staff have relevant knowledge concerning privacy and the processing of personal data, as well as knowledge of this privacy and data protection notice. The extent of knowledge shall be adapted to the individual employee's need to process personal data. Some groups of employees may need special knowledge dependent upon whether they perform a personnel function, sales and/or marketing function. The management at Bjørnson shall at all times endeavour to have thorough knowledge of the regulations.
6 Review and evaluation of personal data processing protocols and practices
Bjørnson reviews and evaluates all processing of personal data. We do this through a personal-data-processing-protocol evaluation form, a separate document, where we specify: data subject categories, processing purpose, how we process information provided to us, and rationale for chosen processing method to name but a few. Along with the current data protection and privacy notice, the personal-data-processing-protocol evaluation form is a key part of the documentation describing how Bjørnson adheres to the provisions of the Personal Data Act. The personal-data-processing-protocol evaluation form is a key component of Bjørnson's internal control of processes that involve personal data.
7 Basic requirements for processing personal data
Current legislation sets out six basic requirements that apply to all processing of all personal data. Bjørnson shall ensure that personal data are:
- Processed in a lawful, fair and transparent fashion with regard to the data subject (“Legality, Justice and Transparency”)
- Gathered for specific, expressly stipulated and legitimate purposes, and that they are not further processed in a manner that is incompatible with these purposes (“Purpose Limitation”)
- Adequate, relevant and limited to what is necessary for the purposes for which they are being processed ("Data Mining")
- Correct and if necessary updated. All reasonable steps shall be taken to ensure that personal data that is incorrect -with regard to the purposes for which they are processed, is erased or rectified without delay ("Accuracy")
- Stored so that it is not possible to identify the registered persons for longer periods than is necessary for the purposes for which personal data are processed ("Storage Restriction")
- Processed in a manner that ensures adequate security of personal data. This entails protection against unauthorised or illegal treatment, and protection against accidental loss, destruction or damage, through the use of appropriate technical or organisational measures ("Integrity and Confidentiality")
If personal data is used for purposes other than those it was originally collected for (see bullet point 2 above), Bjørnson shall always evaluate whether the new or changed purpose is consistent with the original. Bjørnson shall then judge this in relation to the factors stipulated in the GDPR Article 6, section 4.
8 Legal basis for processing personal data
Bjørnson shall have at least one of the following grounds (legal basis) for all processing of personal data:
- The data subject has consented to the processing of his/her personal data for one or more specific purposes
- The processing of personal data is necessary to fulfil an agreement to which the data subject is a party, or to take action at the data subject's request prior to entering a contract
- The processing of personal data is necessary to fulfil a legal obligation that is the responsibility of the data controller
- The processing of personal data is necessary for purposes related to the legitimate interests pursued by the data controller or a third party, unless the data subject's interests or fundamental rights and freedoms take precedent and require the protection of personal data, especially if the data subject is a child (balancing of interest)
- The personal-data-processing-protocol evaluation form shall state what legal basis we have to process personal data
If the legal basis for personal data processing is the consent from the data subject, we shall put into effect the special rules applicable to such consent, including the requirement to document said consent.
If the legal basis for personal data processing is our legitimate interest (balancing of interest), we shall stipulate and document this balancing of interest in writing.
9 Your rights – access to information, rectification, erasure, complaint
You can exercise your rights by writing to the data controller or the data protection officer at Bjørnson, firma(a)bjornson.no
. See also contact information at the end of this data protection and privacy notice.
All those who require it are entitled to basic information about the processing of personal data within a business. Bjørnson has provided this information in this notice and will therefore refer to it upon eventual requests. Beyond this, the data protection officer at Bjørnson can answer questions from persons who have had, or may have their personal data processed by Bjørnson.
Data subjects whose data is registered within one of Bjørnson's systems or within our data processors’ systems, are entitled to have access to their own personal data. The data subjects concerned also have the right to request that incorrect, incomplete or personal data Bjørnson has no access to processing, be corrected, erased or supplemented.
Access to personal data requests from data subjects shall be responded to free of charge within no later than 30 days. Information will be erased on request. To do this please contact firstname.lastname@example.org. Bjørnson is responsible for ensuring that personal data is not made available to unauthorised persons and may, when in doubt, request that anyone wishing to exercise their rights over their own personal data provides proof of identity.
One of our most important tasks is to manage personal data and other data in a safe, user-friendly, and responsible manner. If you are dissatisfied with our processing of personal data or have suggestions on how we could improve this, please contact Bjørnson as stated above.
You also have the right to complain about our processing of personal data to Datatilsynet, Norway’s Data Protection Authority, by writing to postkasse(a)datatilsynet.no
10 When does Bjørnson collect personal data?
Bjørnson mainly handles information that you have provided us with for one of these reasons:
- You have applied for a job at Bjørnson
- You work at Bjørnson as a permanent employee or affiliate as a subcontractor
- You are defined as a contact person at a customer’s firm, a supplier or a business partner
- You are a participant in one our assessment and/or development engagements such as leadership development, team development, organisational climate surveys, etc
- You receive healthcare services as a private individual or as an employee of a company that is a customer of Bjørnson
- Through the use of a contact form, email or via telephone you have requested that Bjørnson contact you
- You have signed up to a course or seminar at Bjørnson
- You subscribe to news from Bjørnson
Bjørnson also receives personal data indirectly, for the following reasons:
11 What is recorded when you use the Bjørnson website?
- In connection with the delivery of our services to your employer
- An employee has named you as their immediate relative/carer
- A jobseeker has named you as their referee
Sales and marketing managers at Bjørnson have daily responsibility for Bjørnson's processing of personal data captured through bjornson.no
. The provision of personal data is voluntary and takes place when those who visit our website request services such as signing up for newsletters or invitations to various events, or when requesting information about services and products. The type of personal data collected through Bjørnson's website can include name, email address, and company name. The legal basis for processing these data is Article 6 section 1 a), of the EU General Data Protection Regulation - consent.
11.1 Web analysis
Bjørnson collects unidentified information about visitors to bjornson.no through Google Analytics.
We do this is in order to gather statistics that help us establish how to improve and further develop the information we provide on our site. The statistical data gathered show us, for example, how many people visit different pages, how long their visit lasts, what websites users come from, and what browsers they use. The information is processed in an unidentified and aggregated format. By unidentified we mean that the information we collect cannot be traced back to the individual user. We collect the entire IP address, but the IP address is unidentified so that only the first three number groups in the address are used to generate statistics. That is to say, if the IP address consists of the numbers 126.96.36.199, only 195.159.103.xx. is used. In addition, IP addresses are processed at aggregated level, that is to say that all data are merged into one group and not processed individually.
The data processing legal basis for this is GDPR Article 6 section 1 f), which allows us to process information necessary to safeguard a legitimate interest, and which weighs heavier than a consideration for the individual’s privacy. The legitimate interest is to ensure the improvement and usability of services at bjornson.no.
The user shall be made aware of and agree to: what information shall be processed, what the purpose of the data processing is, and who shall process the information, cf. Electronic Communications Act § 2-7b. To learn more about how to manage cookies visit nettvett.no
12 What is recorded when you contact Bjørnson?
12.1 E-mail and telephone
Bjørnson uses email and telephone as part of its daily work and in general dialogue with internal and external contacts. We scan all inbound and outbound email for viruses and malware.Bjørnson does not send sensitive personal data by e-mail. Please note that regular email is unencrypted. We therefore encourage you not to send confidential, sensitive or other confidential information via email. The legal basis for this is the GDPR Article 6 section 1 f), which allows us to process the personal data necessary to protect a legitimate interest that weighs heavier than the privacy of the individual. The legitimate interest is to secure Bjørnson's ICT infrastructure.
12.2 Contact form
On our website you will find a contact form through which you can ask Bjørnson to contact you. Here you are asked to provide name, email address, telephone number, topic area and a brief description of what the inquiry is about. You are specifically asked not to provide either confidential or sensitive information as the form is unencrypted. This is also explicitly stipulated in the contact form itself. When using the contact form, your enquiry will be sent via firma(a)bjornson.no
and will also be stored in our website’s Content Management System (CMS). We use the information you supply us with to contact you, and to provide you with adequate follow-up. Enquiries regarding sessions with a psychologist/psychological healthcare are transferred to PsykBase for further processing and follow-up wherever appropriate. Enquiries concerning Bjørnson's service portfolio will be registered into Bjørnson's Customer Relationship Management (CRM) system. The legal basis for this is the GDPR Article 6 section 1b), which allows us to process the information necessary to take action at the data subject's request prior to entering into a contractual agreement. Personal data is required in order to follow up on the data subject’s enquiry. Bjørnson will annually erase requests received via its website’s contact form.
13 Processing of personal data at Bjørnson
13.1 Personal data of employees
Bjørnson records and processes personal data from its employees in order to fulfil its payroll and personnel management duties, as well as to safeguard employer responsibility. The legal basis for processing these data will be to safeguard the obligations and rights attached to the employment contract, cf. the GDPR Article 6 section 1 b), as well as the employer's legitimate interests, cf. Article 6 section 1 f). Access to employees’ personal data at Bjørnson is limited to the general manager, the professional development manager, and the finance and administration manager. Third parties (Pension, Insurance, and/or Public Authorities) may also be allowed access to employee personal data in order to safeguard the interests of both employees and employers.
The types of personal data stored include:
- Contact information: name, national identity number, address, telephone number, immediate contact details, employee picture for web use, etc
- Job information: job title, his/her role responsibilities, description of his/her work, CV, in-role development details, etc
- Financial information: salary, bank account number, credit card number, etc
Bjørnson’s accounting services provider has access only to information that is necessary to carry out its duties within the areas of payroll management, salary and/or pension reporting, travel and outlay follow-up. Also stored is information necessary to ensure salary payment, including, salary level, time usage registration, tax rate, tax authority and work union membership. This information is provided only in connection with salary payments and/or other relevant statutory obligations. Information on profession name and profession code is publicly reportable information in accordance with Statistics Norway (ssb.no) coding and regulation. Our stand point concerning storage of employee personal data is that these should not be stored longer than necessary. Erasure of personal data routines follow accounting and archiving laws and other relevant legislation. Bjørnson will annually review stored employee personal data and erase any information for which our company has no grounds to store.
13.2 Job applicants’ personal data
When you apply for a job at Bjørnson, we handle personal data that is relevant to the recruitment process. This includes: place of study, grades achieved, references, and personal attributes. We need to process this information to assess job candidates. The legal basis for this is consent to the GDPR Article 6 section 1b) "... to take action at the data subject’s request prior to a contractual agreement or consent". When advertising a job, the advert itself will encourage applicants not to provide sensitive personal data. If your application still contains special categories of personal data, the legal basis for processing this is the GDPR Article 9, section 2 b) and h). All job applications with attachments are stored into an access restricted area on Sharepoint. Our stand point concerning storage of personal data is that these should not be stored longer than necessary. Bjørnson will review stored job applicants’ personal data, and erase applications and attachments once the application process is completed. For storage beyond the recruitment process, consent is obtained. Search lists and settings are retained.
13.3 Personal data concerning board members and shareholders
Bjørnson handles company board member’s personal data in relation to administration and recording of board work as well as reporting to public authorities. The legal basis for processing this personal data is the GDPR Article 6, section 1 c - processing is necessary to comply with a legal obligation, the Register of Business Registers, which requires companies to register personal data about directors. The retention of this personal data is a statutory obligation and will therefore not be erased. Board members can also be introduced by name, photograph and concise CV on Bjørnson's webpage, intranet, or via other relevant means. The legal basis for this processing is the GDPR Article 6, section 1 f), – balancing of interest. The processing is necessary to safeguard the legitimate interest of the company. The information will be erased or amended when the board member is replaced. Bjørnson handles shareholder personal data (natural persons) to fulfil regulatory obligations. The legal basis for processing of this is the GDPR Article 6, section 1 c) - the processing is necessary to fulfil a legal obligation, the Limited Liability Companies Act, which requires companies to retain information about former shareholders for 10 years. Shareholders can also be introduced by name, through their photograph on Bjørnson's webpage, intranet, or in other relevant contexts. The legal basis for this processing is the GDPR Article 6, section 1 f), – balancing of interest. This personal data processing is necessary to safeguard the legitimate interest of the company. Personal data will be stored in accordance with the legal authority. Processing of personal data, which has its legal basis on balancing of interest, will be erased or amended in accordance with changes to the shareholder structure.
13.4 Marketing and newsletters for current customers and business partners
If you or your employer have an existing customer relationship with Bjørnson Organisational Psychologists, we will be able to send you information by email or other electronic communication methods within the scope of the Marketing Act, unless you have asked us to do otherwise. The grounds for this will be the existing customer relationship whereby there exists a mutual interest in safeguarding the customer relationship. This is also clearly described by Datatilsynet, Norway’s Data Protection Authority, on their website: "This means that you do not need consent under the Marketing Act if the newsletter does not contain marketing. You also do not need to consent if the newsletter does contain marketing material, but there is an existing customer relationship in connection with sales. " (Https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2018/samtykke-til-nyhetsbrev-og-epostlister/
Datatilsynet, Norway’s Data Protection Authority, further describes: "A business must always have reasonable grounds for processing personal data such as name, telephone number and e-mail address. There are several possible grounds, amongst others: consent; a need to process the information in order to fulfil an agreement; or that processing of personal data is necessary to provide a legitimate interest that weighs heavier than a consideration to the individual's privacy". (https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2018/samtykke-til-nyhetsbrev-og-epostlister/
If you do not have an existing customer relationship with Bjørnson, we will only send you such marketing if you have given us your consent.
Bjørnson sends out newsletters and invitations via e-mail. In order for us to send you e-mail, you must register your name, company name, and e-mail address. When using the contact form, the personal data you register will be stored on our website’s CMS. We make use of MailChimp to send out our newsletter. The email address is stored in a separate database, not shared with others, and erased if you ask us to do so. The e-mail address will also be erased if we receive feedback that it is not active. The legal basis for collecting and processing your personal data in connection with Bjørnson's newsletter is an established customer relationship or GDPR Article 6, section 1 a), ie consent.
13.5 Registration to events
13.6 Personal data in contact register – Customer Relationship Management
We promote events on our website, bjornson.no, on Bjørnson's Facebook page and in addition, you can sign up yourself to each individual event. To indicate your interest, please enter your email address, name, and the name of the company you represent. This information is useful to give us an overview of who has indicated an interest in attending an event, and to ensure we send the correct information to the appropriate recipients. If we need to get in touch with interested parties to deliver important messages, we also use e-mail or the telephone.
The legal basis for the collection and processing of personal data related to events under the auspices of Bjørnson, is an established customer relationship or GDPR Article 6, section 1 a), i.e., consent. Bjørnson erases personal data that is registered in this regard and for which we have no grounds for storing on an annual basis.
Bjørnson uses the customer relationship management (CRM) tool Microsoft Dynamics 365 CRM. Various types of personal data related to our customers, suppliers, sponsors, and other business partners are stored in this CRM tool. This includes information such as name, position or area of responsibility, address, telephone number, email address, industry and any other relevant information. In this CRM tool, we indicate whether the person represents a customer, supplier, sponsor and/or business partner. The legal basis for the collection and processing of personal data within Bjørnson's CRM system is an established customer relationship or GDPR Article 6, section 1 a), ie consent.
13.7 Personal data in connection to service delivery – Customers’ employees
Bjørnson is, in some instances, required to processes the personal data of its customers’ employees when delivering services within the areas of healthcare, organisational and employee development, advisory and assessment. In addition, we need to process personal data when delivering performance evaluation services. The professional development leader at Bjørnson oversees, and has ultimate responsibility for, the processing of personal data within the context of service delivery and delivery of performance evaluation services.
13.7.1 Health services
Bjørnson delivers psychological healthcare services for its clients. When delivering psychological healthcare services such as sessions with a psychologist - Bjørnson uses PsykBase, an electronic journal system. Both personal data and sensitive personal data are stored within this system. This can include name, national identity number, telephone number, email, address, name of relatives or any other “in case of emergency” contacts, relevant health concerns, a description of treatment provided, etc. In accordance with current health legislation, Bjørnson’s professional development leader is responsible for the provision of psychological health services at Bjørnson. Routines and set procedures have been put in place to ensure the secure use of electronic journal systems. In addition, Bjørnson makes use of fireproof filing cabinets for the storage of session notes and any other relevant client journal notes, to be entered into PsykBase. The individual treating psychologist is otherwise subject to health legislation regulations, and is also personally responsible for ensuring that each case is managed in accordance to applicable legislation.
The legal basis for processing personal data in the field of psychological healthcare services is the current health legislation and journal legislation, as well as obtaining agreement from each individual patient.
Bjørnson will occasionally register and process personal data of its customers’ employees when engaged to assist in the development of a customer’s: organisation, team, managers, and/or employees. This will typically be information such as employee name, email address, role. Bjørnson has overarching data controller responsibility when conducting such assignments. Whenever required as a legal basis for processing of personal data, Bjørnson will obtain individual consent. When delivering services, both responsible consultants and administrative personnel at Bjørnson will have access to personal data as part of conducting an engagement.
Types of personal data that can be registered are:
- Contact information: Name, e-mail address, telephone number
- Job information: job title, role responsibilities, organisation of employees’ work, and development in the role, etc
Contact information and job information can be found in business proposal and delivery documents, and within documents evaluating our services. Information regarding our service delivery is stored at Bjørnson's Sharepoint - Microsoft Office 365 – which is used as an electronic archive and document management system. Bjørnson restricts internal access to Sharepoint in accordance with organisational role and responsibility. Individual employees at Bjørnson are responsible ensuring that the actual processing of personal data is carried out in accordance with relevant routines and procedures. Bjørnson regularly checks that said routines and procedures are followed.
Bjørnson delivers a range of surveys and assessment services. This includes self-developed, tailor-made tools, as well as standard third-party, off-the-shelf questionnaires and other assessment tools.
Bjørnsons’ assessment and survey offerings range from company-wide organisational climate surveys to individual assessment surveys. These can be either anonymous or non-anonymous. Further, the delivery of Bjørnson’s offerings within our clients’ organisations can consist of both individual level surveys and/or combinations of surveys. These may in turn range from quantitative to qualitative, anonymous or identifiable, individual or organisational climate studies, etc.
Bjørnson informs participants of both the purpose of the survey, and whether it is anonymous or not. Bjørnson will not share the information obtained with others, nor use this information for purposes other than those specified. Individual registered survey participants are given the opportunity to provide and/or withdraw their informed consent. They have the opportunity to contact Bjørnson to request access to their personal data and have them erased.
We are required to collect personal data in order to conduct surveys and other organisational or individual assessment engagements. This is done in order to both contact participants and report results. When reporting results to a customer, Bjørnson will ensure that any anonymity requirements grounded on ethical research principles are met. The legal basis for this is the GDPR Article 6, section 1 a), individual consent. The material is erased as soon as the legal basis for processing and storage is no longer present.
Use of third-party assessment tools
An overview of third-party assessment tool providers is outlined in the Data Processing Agreement. The legal basis for the processing of personal data in relation to using these tools is the data subject’s informed consent given prior to undertaking the assessment. Should it be desirable to make use of anonymised data for a purpose other than that for which consent was originally obtained - for example use of data for research purposes - this will either be stated when initially obtaining consent or alternatively, consent may be sought at a later stage but prior to use of said data.
14 Use of subcontractors
14.1 Use of subcontractors in service delivery
All subcontractors and hired consultants acting on Bjørnson’s behalf have a duty to familiarise themselves with Bjørnson's Data Protection and Privacy Notice and must agree to abide by it when conducting assignments for Bjørnson. In addition, all hired consultants sign a non-disclosure and confidentiality agreement.
14.2 Use of IT Providers and Data Contractors
Upheads AS (Org. No. 980 893 936) is used for the running of PCs, Active Directory servers, firewalls, print servers, Exchange (e-mail), Microsoft Office, and more. We use Sharepoint as a document management system and Upheads also provides services related to system and sharepoint development. Upheads is located in Norway and the consultants working for us are based in Norway.
Aspit AS (Org. No. 983 439 977) is Bjørnson's data processor responsible for management and maintenance of PsykBase, our healthcare services database. Information collected in connection with the operation of PsykBase is stored on Aspit’s own servers and operated by Aspit itself. Aspit attaches great importance to working for public and private healthcare providers, where data security is paramount. Aspit's server farms are located in the Green Mountain data center in Telemark. The data center is Tier lll certified, and holds ISO 9001, ISO 14001 and ISO 27001 certifications. All equipment is operated by ASPIT with ITIL certified operating personnel (see also www.aspit.no).
As a payroll and accounting system, including inbound invoice and travel expenses, we use services from Azets Insight AS (Org. No. 983 338 917). These services are run on their own servers. ProPlan Time is used as a system for managing working hours, overtime and absence. This is operated by ProPlan AS (Org. No. 959 472 823).
Destino AS (Org. No. 960 339 355) is our supplier for the development and maintenance of Bjørnson's website. Information collected in connection with the operation of the website is stored on own servers operated by Destino. Only Bjørnson and Destino have access to the information collected.
15 Data Protection Officer
Bjørnson has deliberated whether the privacy regulation requires Bjørnson to have a data protection officer. We have very few physical persons as customers. We do not conduct regular and systematic monitoring of registered users on a large scale. For most categories of registered users, we usually process common personal data such as name, address, employer, e-mail address, telephone number and the like. Through delivery of conflict management services, psychologist sessions, individual assessment, and organisational climate surveys, both qualitative and quantitative, we might handle sensitive information about our customers’ employees. After careful consideration of the above, we have concluded that Bjørnson is not subject to a legal requirement to have a data protection officer, but we have nevertheless chosen to have a data protection officer. Bjørnson’s head of Services has been designated as our data protection officer. The main tasks of the data protection officer are to be a professional resource in terms of privacy, to provide information and guidance on, and to ensure compliance with, regulations and internal guidelines for the processing of personal data. The data protection officer acts as a link between Bjørnson as data controller and the Data Protection Authority (Datatilsynet) as supervisory authority. The data protection officer also answers questions from individuals who may have their own personal data handled by Bjørnson. Contact details for our data protection officer can be found at the end of this document.
16 Risk assessment
At Bjørnson we regularly evaluate our routines and procedures for handling personal data. By regularly conducting such evaluations we are best able to identify and target any necessary security measures. These evaluations include: exploring the likelihood and severity potential (i.e., risk) for persons' rights and liberties being infringed, e.g., risk for property or capital damage, risk for medical damage, and/or risk for physical or any other type of injury. Examples of injuries can be discrimination, identity theft, libel, reputation damage, and risk for confidential information becoming known to unauthorised individuals, and/or invasion of privacy.
Bjørnson’s records of processing GDPR regulated activities, reveals that we:
- To a large extent mainly handle general contact information, such as name, address, employer, e-mail address, telephone number, etc
- Psychologist sessions containing sensitive personal data are handled by healthcare professionals - psychologists - within a separate journal system that has high IT security as a priority
- When working on the delivery of conflict management services, individual assessments, and qualitative workplace surveys containing personal data, we make use of established procedures to ensure that personal data are not disclosed to unauthorised persons
- Handling personal data of employees is usually a pre-requisite for managing personnel relationships, and as such essential for compliance with statutory obligations.
- Bjørnson has few private customers
- Do not handle or manage personal data relating to children
- Processing personal data is an element of running general business activities
Based on this risk assessment, we conclude that the consequences resulting from a breach of our rules would be particularly serious for personal data collected during the conduct of psychologist sessions. Bjørnson is data controller for psychologist sessions.
Taking wider societal trends into account, we consider potential attempts to breach our data systems as an increasingly likely risk.
We will continuously risk-assess our ICT operating model and any relevant changes that could potentially impact data security, such as when we buy new IT services and evaluate suppliers. The results of risk assessments shall be approved by Bjørnson’s CEO as data controller.
We have established data processing agreements with all our IT providers that process personal data.
We have established our own procedures for processing sensitive personal data, including limitation of access.
We have established routines and procedures for safeguarding IT security at all levels and areas at Bjørnson.
17 Data Security
We shall, as stipulated by current law, implement appropriate technical and organisational measures to achieve a level of security that corresponds to the risks associated with our processing of personal data. We shall then evaluate the most up to date technology, the costs of execution, and the nature, extent and purpose of the data processing, and the context to which it is carried out. Our risks have been assessed in the above section.
In addition to the already implemented security measures, the following actions have been undertaken:
18 Deviation, analysis of deviation and corrective measures
- The data protection officer is appointed with special responsibility to ensure safety
- Employees shall be given relevant training in the processing of personal data
- Lead consultants shall be given customised training on the processing of personal data
- Annual risk assessment is included as activity in internal control work
As part of development and implementation of our privacy and data protection notice, Bjørnson has established and, wherever required, corrected the company's set routines and personal- data handling processes so as to comply with the rules stipulated in the Personal Data Act and the routines stated in this notice. Central to our efforts has been the creation of a "data processing protocol", where we have mapped Bjørnson's processing of personal data and any deviations from data processing routines for each category of data subject. Any identified discrepancies have been rectified or are in the process of being rectified.
Going forward, we shall ensure compliance with the Personal Data Act by reviewing and evaluating our personal-data-processing routines and processes on an annual basis. We will document both any incidents identified and any measures undertaken to correct them. Discrepancies shall be recorded on Bjørnson's Incident Log as part of our quality assurance process. Incidents shall be handled in accordance with discrepancy processing of personal data guidelines.
An incident, also termed discrepancy or security breach, is defined as a breach of security that leads to accidental or illegal destruction, loss, change, illegal distribution or access to personal data that has been transferred, stored or otherwise processed.
In case of a discrepancy (i.e., an incident or security breach), the Data Protection Authority (Datatilsynet) shall be notified within 72 hours after Bjørnson, as data controller, has been informed of the incident. The parties concerned (the data subject, the customer) shall be notified with the following content:
- Description of the discrepancy/incident
- Contact information to the data protection officer or other point of contact at Bjørnson
- Description of possible consequences of the incident
- Description of measures, planned or put in motion, to rectify and limit the consequences of the incident
In the following cases, Bjørnson may not alert the affected persons:
- When protective measures are already in place, and which make the information or personal data in question unreadable to unauthorised persons, for example through encryption
- If subsequent measures have been implemented that make the likely risk no longer real
- If it is disproportionately difficult to notify each of the affected persons. In such cases, the information shall instead be disclosed or shared via other means, and in such a way that the affected parties are nevertheless effectively informed
If necessary, personal-data-processing incidents or discrepancies shall be notified to the Data Protection Authority.
19 Check and review of data protection and privacy notice, and data processing protocol
This privacy and data protection notice is updated and revised continuously. There are multiple reasons for this, namely, that the relevant legal rules and regulations may be changed, the manner in which we process personal data may change, or experience may indicate that we should indeed amend our routines and procedures. For the same reasons, we will also regularly review and update the data processing protocol (protocol evaluation form). Bjørnson’s general manager/senior vice president has responsibility for identifying any necessary changes and revisions to be incorporated into the document and in the data processing protocol.
The evaluation would include, for example, the following questions:
20 Contact Information
- Have we, since the previous data-handling-process revision changed, that is to say updated, amended or completed any personal-data-handling processes, which have not yet been included into the data-processing-protocol evaluation form?
- Do the six basic requirements for processing personal data indicate that we should change routines or practices?
- Since the previous data-handling-process revision, have new legal or regulatory requirements come into effect and which would imply a need to make changes to internal processes and routines?
- Has the business since last data-handling-process revisions discovered other areas to be improved in the data-processing-protocol evaluation form?
- Has new technology that would enable personal data to be safeguarded in a better way become available?
Data Controller at Bjørnson: Ingrid Ottesen, CEO
Data Protection Officer at Bjørnson: Ane Johnsen Lien, Head of Services
firma(a)bjornson.no | +47 4000 23 43 | Stokkamyrveien 13, N-4313 SANDNES