This privacy policy provides information about how Bjørnson Organizational Psychologists (reg. no. 983 459 285) (hereafter also Bjørnson), processes personal data. Bjørnson has a duty to provide information about personal data processing to anyone who requests it. The latest version of our privacy policy is always available at https://www.bjornson.no/privacy-policy. Bjørnson is obliged to protect and respect your privacy per The Personal Data Act, the EEA Agreement annex XI no. 5e, and EU data protection regulation 2016/679 (hereafter also GDPR) on the protection of natural persons in connection with the processing of personal data. The declaration forms part of Bjørnson's internal control for the processing of personal data.
Bjørnson has specialist expertise in management and organizational psychology. Our core deliverables are the mapping and development of organisations, managers, teams, and working environments, and assisting with conflict management. We also deliver psychological consultations which are defined as health services. In order to carry out our tasks, it is necessary to process personal data. A detailed description of our product & service portfolio is available at www.bjornson.no
Bjørnson is responsible for the processing of personal data that takes place in connection with the operation of Bjørnson, and the execution of assignments for Bjørnson's customers. This personal information may be linked to our employees, job applicants, board members, shareholders, contact persons of customers and suppliers, private customers, and potential customers, etc.
Bjørnson, through our general manager, is the overall data controller for Bjørnson's processing of personal data. Where responsibilities in relation to this are delegated, they are specified under each individual point in the privacy policy. This delegation only extends to tasks, not responsibilities.
When assignments are very clearly defined and the customer has set a clear and defined purpose for how Bjørnson will work with them, etc. the customer is to be considered the data controller and Bjørnson the data processor. Bjørnson is also to be considered the data processor in cases where Bjørnson carries out the processing of personal data on behalf of customer. In cases where Bjørnson is considered a data processor for the customer, a data processor agreement is entered into which determines how Bjørnson shall process personal data. Bjørnson enters into data processor agreements and sub-data processor agreements (3rd party) with data processors engaged by Bjørnson to process personal data belonging to Registrants/persons with the Controller. Both must establish a binding agreement on the processing of personal data in line with privacy legislation.
| Term | Definition/description |
|---|---|
| Personal data: | As defined in GDPR article 4. Any information relating to an identified or identifiable natural person (‘data subject’). |
| Sensitive personal data: | As defined in GDPR articles 4 and 9. Personal information related to genetic, biometric, and health data, as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions, or trade union membership. |
| Processing protocol: | The processing protocol describes how personal data for different categories of users is processed. |
| Processing: | As defined in GDPR article 4. Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
| Controller: | As defined in GDPR article 4. The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. |
| Processor: | As defined in GDPR article 4. A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. |
| Recipient: | As defined in GDPR article 4. A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. |
| Third party: | As defined in GDPR article 4. A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data. |
| Data subject | As defined in GDPR article 4. One who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person |
| Consent: | As defined in GDPR article 4. ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. |
| Supervisory authority: | As defined in GDPR article 4. An independent public authority which is established by a Member State pursuant to Article 51 of the GDPR; and which is responsible for monitoring compliance with privacy legislation; The Norwegian Data Protection Authority. |
| GDPR: | General Data Protection Regulation (GDPR). The EU’s privacy regulation. |
| Register: | Any structured collection of personal data that is available according to specific criteria. |
| Other relevant legislation, with abbreviations: | In addition to the Personal Data Act, the following laws are relevant to Bjørnson's processing of personal data: Health Personnel Act (Health Act), Norwegian Archives Act (Archives Act), Act relating to the control of marketing and contract terms and conditions, etc. (Marketing Act), Act relating to electronic communications (Ecom Act), Working Environment Act (Working Environment Act). |
Bjørnson must ensure that employees and hires have relevant knowledge of the rules on privacy and personal data, including this privacy policy. The level of knowledge must be adapted to the individual employee's processing of personal data. Certain groups of employees need special knowledge, e.g. personnel function, sales and marketing function. The management at Bjørnson must always have a good knowledge of the regulations.
Bjørnson surveys all processing of personal data. We do this in a processing protocol, a separate mapping form in which we indicate, among other things, categories of registered users, purpose of the processing, how we process the information and the basis for the processing. Together with this privacy statement, the processing protocol is a central part of the documentation that describes how Bjørnson complies with the provisions of the Personal Data Act. The processing protocol is included in Bjørnson's internal control for the processing of personal data
The Act sets out six basic requirements that apply to all processing of all personal data. Bjørnson must ensure that personal data is:
If the basis for processing is consent from the data subject (see first bullet point), we shall familiarize ourselves with the special rules that apply to such consents, including the requirement for documentation. If the basis for processing is for the protection of a legitimate interest (balancing of interests) (see fourth bullet point above), we will specify and document the balancing in writing.
You can exercise your rights by sending an e-mail to firma@bjornson.no or to the data controller or data protection representative in Bjørnson. See contact information at the end of the privacy policy.
Everyone who asks is entitled to basic information about the processing of personal data in a business. Bjørnson has provided this information in this declaration, and will refer to it in the event of any enquiries. In addition to this, the data protection officer in Bjørnson will be able to answer questions from people who have/may have personal data processed by Bjørnson.
Those who are registered in one of Bjørnson's systems or with our data processors have the right to access their own information. This person also has the right to request that incorrect information, incomplete information, or information that Bjørnson does not have access to process be corrected, deleted, or supplemented. Claims from the data subject must be answered free of charge for the data subject and within 30 days. Information will be deleted on request by contacting firma@bjornson.no. Bjørnson is responsible for ensuring that personal information is not made available to unauthorized persons and can, in case of doubt, ask the person who wishes to exercise his rights for information to confirm his identity.
One of our most important tasks is to manage personal information and data in a safe, user-friendly, and responsible way. If you are dissatisfied with our processing of personal data or have suggestions on how we can improve, you can contact Bjørnson as stated above.
You also have the right to complain about our processing of personal data to datatilsynet.no.
The sales and marketing manager at Bjørnson has day-to-day responsibility for Bjørnson's processing of personal data at bjornson.no. It is voluntary for those who visit the websites to provide personal information in connection with services, for example to receive newsletters, invitations to various events, information about services and products. Personal information collected via Bjørnson's website will be name, e-mail, company. The basis for processing is GDPR Article 6 No. 1 a), consent.
11.1 Web analyticsBjørnson collects de-identified information about visitors to bjornson.no through Google Analytics. The purpose of this is to prepare statistics that we use to improve and further develop the information offered on the website. Examples of what the statistics show include the number of people that visit various webpages, how long visits to our website last, which websites users are coming from, and which browsers are being used.
The information is processed in de-identified and aggregated form. De-identified means that we cannot trace the information we collect back to the individual user. We collect the entire IP address, but the IP address is de-identified so that only the first three groups of the address are used to generate statistics. That is, if the IP address consists of the numbers 195.159.103.82, only 195.159.103.xx is used. In addition, the IP addresses are processed on an aggregated level, i.e. all data is combined into a group and not processed individually.
The processing basis for this is GDPR Article 6 No. 1 f), which allows us to process information that is necessary to safeguard a legitimate interest that outweighs the consideration of the individual's privacy. The legitimate interest is to improve our services and to ensure that services on bjornson.no work correctly.
Currently, no information cookies are used on bjornson.no.
Cookies are small text files that are placed on your computer when you load a webpage. Storage of information and processing of this information is not permitted unless the user has both been informed, and has given his consent to the processing. The user must be informed about, and approve, which information is processed, what the purpose of the processing is, and who the information will be processesed by, per the Ecomm Act section 2-7b. The use of cookies.
Our website includes a form through which you can request that Bjørnson to contact you. Individuals using this form are asked to provide their name, e-mail address, telephone number, the subject of their request, and a brief description of what their inquiry is about. The applicant is asked not to provide any sensitive or confidential information as the form is unencrypted. This is also explicitly stated in the contact form itself
When you use the contact form, your inquiry will be sent via firma@bjornson.no and will also be stored in the CMS (Content Management System) belonging to our website. We use the information provided to contact individuals who have filled out the form, and to provide adequate follow-up. Inquiries regarding psychological consultations/health care are transferred to PsykBase for further treatment follow-up where applicable. Inquiries concerning Bjørnson's service portfolio will be registered in Bjørnson's CRM system. The processing basis for this is GDPR Article 6 No. 1 b), which allows us to process information that is necessary to carry out measures at the data subject's request before entering into an agreement. The personal information is necessary to be able to follow up the data subject's inquiry. Bjørnson will delete inquiries received via the contact form on the website on an annual basis.
Bjørnson registers and processes personal data about its employees in order to administer salary and personnel responsibilities, as well as take care of employer responsibilities. The basis for processing is be to safeguard obligations and rights linked to the employment agreement per the GDPR article 6 no. 1, b), and potentially article 6 no. 1, f) (protecting legitimate interests). At Bjørnson, it is the general manager, professional manager, and finance and administration manager who have access to this information. In cases, a third party (pension, insurance, public authorities) may also get access to employees' personal data in order to safeguard the interests of the employee and the employer.
Types of personal data that are registered are:Bjørnson's accountant has access to what is necessary for payroll processing, payroll reporting, pension reporting, and travel and expenditure follow-up. Necessary information is recorded for payment of salary, salary level, hourly registration, tax percentage, tax municipality, and trade union membership. The information is only disclosed in connection with salary payments and other statutory disclosures. Information about name and occupational code according to Statistics Norway's code overview is publicly reportable information. The starting point for the storage of other personal data for employees is that they should not be stored for longer than is necessary. Deletion routines for personnel information follow the Accounting Act, the Archives Act and all other relevant laws. Bjørnson will, on an annual basis, review stored personal data for employees and delete information that we have no reason to keep
If you apply for a job at Bjørnson, we process personal data that is relevant in the recruitment process. Including place of study, grades, references, and personal characteristics that are relevant to the job. This information must be processed in order for the relevance of candidates to be assessed. The processing basis for this is GDPR Article 6 no. 1 b) "...necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract". On our job postings, we encourage applicants to refrain from providing sensitive personal information. If applications nevertheless contains special categories of personal data, our basis for processing is GDPR article 9 no. 2 b) and h). All job applications with attachments are registered in an access-restricted area on Sharepoint. The starting point for storing personal data is that it should not be stored for longer than is necessary. Bjørnson will go through stored personal data for job applicants, and delete applications and attachments when the application process is complete. Consent is obtained for storage beyond the recruitment process. Search lists and settings are preserved.
Bjørnson processes personal information about company board members in fbm administration and protocolling of board work, as well as in through reporting to public authorities.
The processing basis for this is GDPR article 6 No. 1 c) - the processing is necessary to fulfill a legal obligation, the Enterprise Register Act, which requires companies to register personal information about board members. Retention of this personal information is permitted by law and will not be deleted. Board members can also be presented with their name, photo and brief CV on Bjørnson's website, intranet, or in other relevant contexts. The processing basis for this is GDPR article 6 no. 1 f) - balance of interests. The processing is necessary to safeguard the company's legitimate interest. The information will be deleted/changed in connection with a board member being replaced. Bjørnson processes personal information about shareholders (individuals) in the company to fulfill official requirements. The processing basis for this is GDPR article 6 no. 1 c) - the processing is necessary to fulfill a legal obligation, the Swedish Companies Act, which requires companies to store information about former shareholders for 10 years. Shareholders can also be presented by name, photo on Bjørnson's website, intranet, or in other relevant contexts. The processing basis for this is GDPR article 6 no. 1 f) - balance of interests. The processing is necessary to safeguard the company's legitimate interest. The personal information will be stored in accordance with legal authority. Processing of personal data based on a balancing of interests will be deleted/changed in connection with changes in the shareholder structure.
If you or your employer have an existing customer relationship with Bjørnson, we will be able to send you information by e-mail or other electronic communication methods within the framework of the Marketing Act, unless you have asked us otherwise. The basis for processing will be the existing customer relationship where the common interest will be to look after the customer relationship. This is also clearly described by the Norwegian Data Protection Authority: That is, you do not need consent according to the Marketing Act if the newsletter does not contain marketing. You also do not need consent if the newsletter contains marketing, but there is an existing customer relationship in connection with sales.' (https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2018/samtykke-til-nyhetsbrev-og-epostlister/).
The Danish Data Protection Authority further describes that a business must always have a basis for processing personal data such as name, telephone number and e-mail address. There are several possible grounds for processing, including consent, that it is necessary to process the information in order to fulfill an agreement or that it is necessary to safeguard a legitimate interest that outweighs the consideration of the individual's privacy. (https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2018/samtykke-til-nyhetsbrev-og-epostlister/)
If you do not have an existing customer relationship with Bjørnson, we will only send such marketing if you have given us consent.
Bjørnson sends out newsletters/invitations via e-mail. In order for us to be able to send you e-mails, you must register your name, company name and an e-mail address. When you use our contact form, the personal data you register will be stored in the CMS belonging to our website. MailChimp is used for sending the newsletter. The e-mail address is stored in a separate database, is not shared with others and is deleted if you unsubscribe from our mailing list. The e-mail address is also deleted if we receive feedback that it is not active. The processing basis for the collection and processing of your personal data in connection with Bjørnson's newsletter is an established customer relationship or the GDPR article 6 no. 1 a), consent.
Bjørnson uses the CRM tool Microsoft Dynamics 365. Different types of personal data are registered in the CRM tool belonging to customers, suppliers, sponsors and other collaboration partners. This is information such as name, position/area of responsibility, address, telephone number, e-mail address, industry and other relevant information. In the CRM, it is stated whether the person represents a customer, supplier, sponsor and/or business partner. The processing basis for the collection and processing of personal data in connection with Bjørnson's CRM system is an established customer relationship or the GDPR article 6 no. 1 a), i.e. consent.
Bjørnson processes personal data for employees of our customers in the fbm delivery of healthcare services, development/consulting, and mapping. In addition, we process personal data in fbm evaluation of assignments. Bjørnson's Academic Director is responsible for processing personal data in fbm deliveries and evaluation.
Bjørnson is the data controller for healthcare services. For the part of the business that concerns health services - psychologist interviews - Bjørnson uses "Psychbase" as an electronic record system. In this system, personal data and sensitive personal data such as name, social security number, telephone, e-mail, address, next of kin, health and description of treatment etc. are stored. Bjørnson's Academic Director is responsible for health services at Bjørnson being provided in accordance with current health legislation. Routines have been established for the use of an electronic record system and a fire-proof filing cabinet (for use for work notes used for record keeping in Psykbase). The individual psychologist is also subject to provisions in the health legislation and is also personally responsible for the case management being in accordance with the current legislation. Basis of treatment for the processing of personal data in fbm performance of health services are health legislation and records legislation as well as agreement with the individual patient
Bjørnson will occasionally register and process personal data about a customer's employees in fbm development of the customer's organisation, team, managers and employees. This will typically be information such as the employee's name, e-mail, and role. Bjørnson is mainly the data controller for such assignments. Bjørnson will take the initiative to obtain individual consent as a basis for processing when required. At Bjørnson, both responsible consultant(s) and administrative personnel will have access to this personal data as part of the delivery.
Contact information and job information can be included in the fbm description of offer and delivery documents and in the fbm evaluation of deliveries. Information about deliveries is stored on Bjørnson's Sharepoint - Microsoft Office 365 - which is used as an electronic archive and document processing system. Bjørnson practices internal access management to Sharepoint, based on organizational role and area of responsibility. The individual Bjørnson employee is responsible for ensuring that the actual processing of personal data is in accordance with the routines. Bjørnson checks on a regular basis that the routines are followed.
Bjørnson supplies a number of surveys. Both standard off-the-shelf products supplied by 3rd parties and self-developed tools; respectively standard and tailor-made. The surveys range from environmental to individual surveys, and can be anonymous or non-anonymous. Deliveries from Bjørnson can consist of individual surveys or combinations of surveys that range from quantitative to qualitative, anonymous/identifiable, individual/environmental surveys, etc.
Bjørnson provides information about the purpose of the surveys that ade administered, and whether they are anonymous or not. Bjørnson will not share collected information with others or use the information for purposes other than those stated. Registrants who participate in surveys are given the opportunity to give and withdraw their informed consent. They have the opportunity to contact Bjørnson to request access to their personal data, and to have it deleted.
We collect personal data when we carry out fbm surveys. Both to contact participants and report results. When reporting results to the customer, Bjørnson will ensure that any requirements for anonymity based on research ethics principles are met. The processing basis for this is the GDPR Article 6 No. 1 a), individual consent. The material is deleted as soon as the grounds for processing and storage are no longer present.
An overview of 3rd party suppliers is included in the Data Processor Agreement. The basis for processing fbm personal data in these tools is individually informed consent that is given in advance of answering. In order to use anonymised data after the original purpose for which consent was obtained, (e.g. for research) this must be noted in the original consent or consent must be obtained again. Consent can be withdrawn at any time, and the participant's information deleted. Sub-data processor agreements have been established with all 3rd party mapping suppliers where the data processor processes personal data on behalf of Bjørnson in accordance with the applicable privacy regulations. Deletion routines have been established in the various tools used which ensure that privacy regulations are adhered to. Deletion provisions will appear in the individual sub-data processor agreements and/or on the sub-supplier's website.
Bjørnson currently has an ICT operating model where we have outsourced our IT systems and left the operation to external parties. We use certain data processors to collect, store and/or otherwise process personal data on our behalf. In such cases, we enter into agreements with data processors to ensure that the processing of the information is in accordance with the privacy regulations and requirements for the processing of personal data. The use of data processors is not to be considered a disclosure of personal data. The suppliers cannot use the information for purposes other than those for which it was obtained. Bjørnson uses data processors in several different areas, for example for ICT services such as storage and operation, health services, accounting and payroll, marketing etc.
Cloudservice (org. number 991 073 930) supports the operation of PCs, Active Directory servers, firewalls, print servers, Exchange (e-mail), Microsoft Office, etc. Cloudservice is located in Norway and the consultants who work with us work from Norway. We use Sharepoint as a document management system. Upheads AS (org. number 980 893 936) delivers services related to system and Sharepoint development.
Aspit AS (org. number 983 439 977) is Bjørnson's data processor, and supplier of operation and maintenance of PsykBase which applies to healthcare services. Information collected in connection with the operation of Psykbase is stored on separate servers operated by Aspit. Aspit places great emphasis on operational deliveries for public and private healthcare where data security is of particular importance. Aspit's server farms are located in the Green Mountain data center in Telemark. The data center is Tier lll certified, and holds ISO 9001, ISO 14001 and ISO 27001 certifications. All equipment is operated by ASPIT with ITIL-certified operating personnel (see also www.aspit.no).
As a payroll and accounting system (including incoming invoices and travel expenses) we use services from Azets Insight AS (org. number 983 338 917) which run on their servers. ProPlan Time is used as a system for managing working time, overtime and absence. This is operated by ProPlan AS (reg. number 959 472 823).
Destino AS (org. number 960 339 355) is our supplier for development and maintenance of Bjørnson's website. Information collected in connection with the operation of the website is stored on separate servers operated by Destino. Only Bjørnson and Destino have access to the information that is collected.
Bjørnson has assessed whether the data protection regulation requires Bjørnson to have a data protection representative. We have very few natural persons as customers. We do not carry out regular and systematic large-scale monitoring of registered users. For most categories of data subjects, we mostly process general personal data such as name, address, employer, e-mail address, telephone number, etc. In connection with the delivery of conflict management, psychological interviews, individual and environmental surveys, both qualitative and quantitative, we process sensitive information about employees of customers. In sum, we have concluded that Bjørnson is not subject to the requirement to have a data protection representative, but we have nevertheless chosen to have a data protection representative. It is the professional manager at Bjørnson who is the data protection representative. The main tasks of the data protection officer are to be a professional resource in data protection, and to be at your service with information and guidance, and to ensure that regulations and internal guidelines for the processing of personal data are complied with. The data protection officer is a link between Bjørnson as data controller and the Norwegian Data Protection Authority's supervisory authority. The data protection representative also answers questions from people who have/may have their personal data processed by Bjørnson. Contact information can be found at the end of this document.
The processing protocol (the mapping form of personal data) shows that we:
Based on this risk assessment, we believe that the consequences of breaking the rules will be particularly serious for personal data collected in fbm psychological interviews. Bjørnson is responsible for processing psychological interviews.
Taking societal developments into account, we take into account that it is likely that we will be exposed to more and more frequent data breach attempts. We must continuously risk-assess our IT operating model, and changes that may affect information security, for example when we buy new IT services and evaluate suppliers. The results of risk assessments must be approved by the person who has day-to-day processing responsibility at Bjørnson, our general manager.
We have established data processing agreements with all IT suppliers that process personal data.
We have established our own routines for processing sensitive personal data, including restricting access.
We have established routines to safeguard IT security at all levels and areas in Bjørnson.
According to the law, we must take appropriate technical and organisational measures to achieve a level of security that corresponds to the risk associated with our processing of personal data. We must then take into account the state of the art, the implementation costs and the nature, scope and purpose of the processing, as well as the context in which it is carried out. Our risks are assessed overall in the point above.
In addition to already noted security measures, the following measures have been implemented:
In establishing the privacy policy, Bjørnson has implemented and corrected the company's routines for processing personal data so that we follow the rules in the GDPR and the routines in the declaration. Central to the work has been the "processing protocol" where we have mapped Bjørnson's processing of personal data and deviations from the processing routines for each category of data subject. The deviations have been processed or are being processed.
Going forward, we will ensure compliance with the GDPR by surveying and evaluating our processing of personal data on an annual basis. We must document both the deviations we have found and what we have done to correct them. Deviations must be registered in Bjørnson's deviation system as part of the quality system. The deviations must be processed in line with deviation processing for the processing of personal data.
A breach, or security breach, is defined as a security breach that leads to the accidental or unlawful destruction, loss, alteration, unlawful dissemination of or access to personal data that has been transferred, stored or otherwise processed
In the event of a discrepancy, the Norwegian Data Protection Authority must be notified within 72 hours after Bjørnson, as data controller, has become aware of the discrepancy. The affected parties (the registered person, the customer) must be given a notice with the following content:
In the following cases, Bjørnson may not notify the affected parties:
If necessary, deviations in the processing of personal data must be communicated to the Norwegian Data Protection Authority.
This privacy statement is updated and revised on an ongoing basis. The background is, among other things, that the rules in law and regulations may be changed, our processing of personal data may be changed or experience may indicate that we should change our routines. For the same reasons, we must also regularly review and update the processing protocol (mapping form) for the processing of personal data. It is the general manager who is responsible for ensuring that the need for changes and revisions is identified and incorporated into the document and treatment protocol.
The evaluation should include, for example, the following questions:
| As defined in GDPR aticle 4 |
| As defined in GDPR aticle 4 |