Promon will process personal data as part of our business. We are committed to processing personal data safely, reassuringly, and trustworthy.
Our processing as the controller of personal data is based on our activities and the purpose of our business. Below is information about the personal data we process about you, the legal basis for the processing, the purpose of the processing, how long we process the personal data, etc.
We may also process personal data in other ways, as mentioned below, but we will inform you of the personal data that applies in ways other than through this notice.
If you have questions about the processing of your personal data, you can contact us, see our contact details below.
1. Responsible for the processing of personal data
Promon is responsible for processing the personal data described here, i.e., deciding why and how the personal data is processed (the data controller). However, this does not apply where we act as a data processor, i.e., processing personal data on behalf of our customers; see Section 4.
Contact details on us as data controller:
Promon AS
Address: Cort Adelers Gate 30, 0251 Oslo, Norway
Email: privacy@promon.no
Phone: +47 22 02 11 30
Entity reg. no.: 989 480 138
Promon does not process personal data when the Promon products are used. Typically, Promon’s customers will process personal data when Promon’s products are used in their software applications. As a user of such applications, you need to consult with the privacy policies for such applications.
2. Why and what kind of personal data do we collect and use
We collect and use your personal data for different purposes depending on who you are and how we contact you.
All processing of personal data will be in accordance with this Privacy Notice and the privacy regulations in force at any given time, including the local privacy regulation and the General Data Protection Regulation (GDPR).
Personal data is any information about a physical person that can be identified directly or indirectly (the latter are referred to as “data subjects”).
Processing personal data is any activity performed with personal data, such as collecting, recording, organizing, structuring, storing, adapting, altering, transmitting, or deleting.
2.1 Communication and contact
We process personal data about those who contact us to answer and document the communication and contact others not covered by the processing elsewhere in the Privacy Notice, which applies to all forms of communication, physical and digital, written and oral.
In such cases, we process the name, telephone number, email address, and any personal data that may result from the communication, including history/logs about the inquiry.
The processing is based on what we consider to have a necessary legitimate interest in processing related to the above (see GDPR Article 6 (1) f). Our legitimate interest is to contact others as part of our business, document our business, reply to those who contact us, and register such contact. We have assessed that this is necessary to handle inquiries we receive and that the data subjects’ privacy does not override these interests.
It is voluntary to provide us with personal data, but it will be necessary to provide us with the information to answer inquiries.
We process the personal data until we expect that the contract will not be further followed up, typically for two years.
2.2 Email and other business solutions
We use email as a communication solution and other business solutions, such as document storage, cooperation solutions, etc., that will contain personal data. The processing is based on that we consider having a necessary legitimate interest in processing personal data via email (see GDPR Article 6 (1) f) to have a work tool and communication solution and that the data subjects’ privacy does not override over these interests. Personal data processing depends on the purpose of the email and what is included in it. Emails and other information are deleted when they are no longer needed, and we have measures to ensure regular deletion.
2.3 Information and Marketing
If you request information or subscribe to our newsletter, we will send information about our products and services, benefits from partners, newsletters, and other information and marketing. We will then process the email address and other contact information you provide.
We process personal data to inform you about services and products that may interest you and process the personal data based on your consent (GDPR Article 6 (1) a). You can withdraw your consent at any time by using any unsubscribe options in the communications you receive or by contacting us to opt out of direct marketing and/or profiling under GDPR Article 21 (2).
We only process personal data, such as the email address and name, to send the newsletter, making the inquiry more personal and ensuring the communication reaches the right person. The email address is not used for other purposes other than sending the newsletter.
The processing will continue until you have received the requested information or withdrawn your consent. Thereafter, your personal data will be deleted.
2.4 Information and Newsletters
We may also send out information about our services and products that do not contain marketing. This will be done regardless of whether you have consented, and personal data will then be processed on the basis that we either fulfill a contract with you as an existing customer (GDPR Article 6 (1) b), or based on our legitimate interest in informing our users and contacts about our services (GDPR Article 6 (1) f). Alternatively, we may process the information based on your consent (GDPR Article 6 (1) a). The purpose of the processing is then to keep you updated about products and services you receive and follow up on purchases of products or services. The processing of personal data will occur as long as you receive our services.
If we process based on consent, you can withdraw your consent at any time by using the link in the newsletter or contacting us to stop receiving the information. However, we would encourage you to continue receiving the information, as it may be relevant to your use of the service use.
We only process personal data that enables us to carry out the distribution, which is the email address. The email address is not used for any other purpose than sending out the information. Personal data is processed as long as you receive the information.
2.5 Business customers, suppliers, partners, etc.
We process personal data about contact persons of existing and potential business customers, suppliers, and other partners to manage our relationships with suppliers and others, prepare, implement, and document services, and evaluate the use of services. In these cases, we will process names, contact information, company names, and information related to the contact with the company in which the person in question works.
The processing of personal data is based on the necessary processing and legitimate interest in managing our relationships with our customers, partners, and suppliers.
The processing of personal data is based on what we consider a necessary legitimate interest (GDPR Article 6 (1) f) to manage the relationship with our customers, partners, and suppliers, and the data subject’s privacy does not override our interest.
We also store and disclose information where we have a legal obligation, for example, under accounting and tax legislation.
We may store information for as long as we believe it may be necessary to document matters relating to services.
In many cases, we will need to obtain personal data to enter into agreements with customers and suppliers and, among other things, to document that an agreement has been entered into. If we do not receive the information we need, we cannot enter into agreements.
It is voluntary for contact persons to provide us with personal data. If we collect personal data from others, it will mainly apply to contact information (including name, address, telephone number, and email address), position, function, employer, and any competence and references where relevant. The source for such information will be the contact person, employer, or something else, such as the employer’s website.
We store personal data until the relationship with the customer, supplier, or partner ceases or until the contact person ceases to be the contact person, with the abovementioned exceptions.
2.6 Booking an online meeting
You may book an online meeting through our website. Mandatory personal data collected in this context includes your name, company name and email, job title, industry, and country/region. You may provide us with the following information beforehand: phone number, specific topics or questions to address in the meeting, and where you heard about Promon.
The processing of personal data is based on what we consider a necessary legitimate interest (GDPR Article 6 (1) f) to have contact with potential customers, and the data subject’s privacy does not override our interest.
We store personal data until the meeting is completed, and it is clear if there will be a business relationship with the participant in the meeting.
2.7 Recruitment
CVs, applications, certificates, and references are processed when recruiting for new positions with us. Processing of personal data takes place based on consent that you have given if processing takes place through, e.g., a recruitment solution or on the basis that it is necessary and within our legitimate interest to recruit new employees.
We may use recruitment services to manage applications, which will be our data processor. If you register with the job search service with your profile, the service will be a data controller responsible for processing, and reference is made to its privacy notice about the processing of personal data in the service. The processing of personal data is based on your consent in the recruitment service (GDPR Article 6 (1) a), obtained or the basis set forth below.
The basis for processing personal data when recruiting is that the processing is necessary to assess possible job seekers before entering into a possible employment agreement (GDPR Article 6 (1) b).
If assessments are made in this regard, such as contacting persons who are not listed as a reference, examining when searching for background, etc., personal data is processed based on our necessary legitimate interest in ensuring that the correct candidate for the position (GDPR Article 6 (1) f). For the latter, we have considered that the individual data subject’s privacy does not override our legitimate interest in recruiting new employees. We recommend you not to enter special categories of personal data, such as health, religion, political opinion, union membership, etc., in your application.
If we process special categories of personal data, we will do so based on your consent (GDPR Article 9 (2) (a)). Consent can be withdrawn at any time, which will not affect the lawfulness of processing personal data before the consent was withdrawn.
If you have not agreed to further storage, information on the service will be deleted as soon as recruitment is done.
2.8 Events, etc.
For participants in events, contact information will be registered and processed, along with which event the person in question is to attend, so that the person in question can identify as registered and the necessary communication can be carried out.
For participants in events, contact information will be registered and processed, as well as the event the person attended, so that the person can be identified as a participant and that necessary communication and possible invoicing of participation fee can be carried out. Processing of personal data will be based on fulfilling an agreement with the participant (GDPR Article 6 (1) b) or if the participants represent a company on the basis that we have assessed that we have a necessary legitimate interest (GDPR Article 6 (1) f) by holding events as part of activities. In the latter case, we have considered that our legitimate interest overrides the data subject’s privacy.
If food and/or drinks are served, we may obtain information about food preferences, which can show health and/or religion based on the preferences. This information will only be processed to serve food and/or drinks and deleted immediately after the event. In such cases, the personal data will be processed based on consent.
2.9 Social media
We have contact with stakeholders and others through social media. We have established a Facebook page where we are responsible for processing personal data in this connection with Facebook. Personal data will be processed through the Facebook page if you publish posts on the page, comment on posts, or «like»/follow the page. Our purpose for processing personal data through Facebook is to have contact with you who wish to communicate with us or interact on our Facebook page in other ways, see also about communication under section 2.2 above.
In this context, your name and link to other information you posted on Facebook associated with your name/account on Facebook are processed. In addition, everything you share through posts and comments on our Facebook page and the fact that you have “liked”/followed our website is processed. What you share on the Facebook page is up to you and voluntary.
We ask you not to share personal data in posts or comments on the website, especially not to share personal data about others, e.g. by «tagging» or mentioning people.
We process personal data on social media, such as Facebook, because we believe we have a legitimate interest in communicating with the outside world through social media and want to process personal data in this context (GDPR Article 6 (1) f). We have considered it so that it is necessary for us to communicate with the outside world and handle inquiries we receive and that the data subject’s privacy does not come before these interests.
The data will be processed as long as postings/comments are available on social media, and you can delete this at any time.
2.10 Use of websites, cookies, etc.
We will use cookies or similar technology to collect information when you visit or interact with our website. We use the information collected to improve the customer experience on websites and services, to adapt and develop the website, and to offer functionality in the services. We also use the information to provide visitors with recommendations and service adjustments that are as relevant to you as possible. This will be given based on visitors’ behavior, e.g., on services used, links clicked on, or information read, and on the behavior of other users with similar usage patterns. In addition, cookies are used to provide customized marketing on our websites, in advertising networks, and on social media. As far as practically possible, we try to do this with anonymous information without knowing that the information is specifically linked to each visitor.
A cookie is a text file or information that, upon visiting or interacting with a website, is placed in your browser's internal memory or a number/series of numbers that can identify your browser or device using the websites (referred to as cookies below for simplicity's sake).
You can prevent us from placing cookies in your browser. Many browsers or devices are set to accept cookies automatically, but you can change the settings so the cookies are not accepted. The disadvantage of disabling cookies in your browser is that web pages will not work optimally. The purpose of most cookies we use is to provide functionality for the services.
We also use tools other than cookies to collect information about your IP address, browser type, operating system, and the date and time of your visit to the website and services. This information is used to analyze trends to make the website and services more user-friendly.
For information on which cookies we use, see the cookie-consent box on our website. You may also access this by clicking on the icon in the left corner of the website at any time, where you may also amend your preferences or withdraw your consent.
We will process the personal data mentioned above based on our consent (GDPR Article 6 (1) a). The information will be processed until you withdraw your consent.
Necessary and statistical cookies will be used and processed based on our necessary legitimate interest (GDPR Article 6 (1) f) to adapt the website to our users. We consider that the data subject’s privacy does not override this interest.
3. Processing Based on Consent
If we process personal data based on your consent (see above), you can withdraw your consent at any time without affecting the lawfulness of processing before its withdrawal. Contact us if you want to withdraw your consent. Note that if you withdraw your consent, it may still be possible for us to continue processing all or part of the information if there is another basis for the processing.
4. Retention and deletion of personal data
We keep and store personal data for as long as is necessary for the purpose for which the personal data was collected, and we delete the data under requirements in regulations. The length of time we process the individual data types is included above under the specification of the different processes.
When we delete the information included above where the individual processes are discussed, or else the storage period is based on the following criteria:
- Whether we have a legal or contractual need to retain the information, as there may be claims directed against us
- Whether the information is necessary for our business
- Where the basis of processing is consent, when consent is withdrawn.
When we no longer have a legitimate need to process your personal data, we will delete or anonymize them as quickly as possible in accordance with applicable law.
In some cases, it may be relevant to anonymize personal data instead of deleting it. Anonymization removes all data that may identify or potentially identify data subjects (individual persons) from data sets.
This means, for example, that personal data that we process based on your consent will be deleted if you withdraw your consent. Personal data that we process in connection with sales or purchase agreements you have with us is deleted when the agreement is fulfilled. All obligations arising from the contractual relationship are fulfilled, such as legal obligations related to accounting. Personal data related to our fulfillment of legal obligations is deleted as soon as the legal obligations have been fulfilled, such as the obligation to keep accounts.
5. Disclosure or transfer of personal data
We do not disclose or transfer personal data to others in cases other than those mentioned in this notice unless there is a legal basis for such disclosure/transfer. Examples of such a basis will typically be an agreement with or consent from the data subject or a legal basis that requires us to publish the information. The latter applies to public activities such as tax collection (if necessary), accountant/auditor, and others that we need in our business, such as a bank connection.
We use data processors to process personal data on our behalf. In such cases, we have entered into data processing agreements with the data processors to safeguard your rights and security for your personal data at all processing stages.
Personal data may be disclosed to public authorities if required by law, or there is a suspicion that a crime has been committed in connection with the use of our services.
If personal data may be subject to transfer to another organization in connection with a merger, financing, reorganization or dissolution transaction of all or part of us, we will only do so if the parties involved have entered into an agreement where the collection, use and sharing of personal data is limited to the purposes of the transaction, including a provision as to whether or not the transaction will proceed, and the personal data shall only be used by the parties involved to complete and complete the transaction. If another company buys our business or assets, this company will have access to the personal data we collected and will assume the rights and obligations regarding your personal data as described in this privacy notice.
6. Transfer of Personal data to recipients in countries outside the EEA
It is an objective that all processing of personal data shall be carried out within the EEA, but we may use suppliers or process personal data outside the EEA, see above. In such cases, transfer and processing outside the EEA will take place in countries approved by the EU Commission or under a valid legal basis for the transfer of personal data under GDPR Chapter V. If transfer to countries approved by the EU Commission does not take place, the transfer will only take place after guarantees set out in Article 46 (2) of the GDPR. You can get information on the lawful basis used for the transfer if you contact us.
7. Links to third parties/other websites
There may be links to other websites or third parties offering products or services and other sites not under our control on our website. These links are provided only as an opportunity for users to obtain more information. Websites not part of ours, i.e., not under the addresses promon.co, will process personal data as the data controller itself and may have separate and independent privacy notices. We have no responsibility for the content and activities of these websites.
8. Security of processing
We prioritize the security of personal data in our business and will implement all required technical and organizational measures to secure your personal data. If possible, all processing will be encrypted and unavailable to anyone other than those needing personal data to perform their tasks (“need-to-know”).
We ensure that personal data is correct, accessible, and handled according to its degree of sensitivity. We also use various security technologies and information security procedures to protect your personal data from unauthorized access, use, or disclosure. Where necessary, risk assessments are carried out.
We have entered into data processor agreements with all our suppliers who process personal data. These agreements require them to assume the same degree of security as we ensure in our processing of personal data.
We restrict access to personal data to staff or third parties who process it on our behalf. These parties are subject to a duty of confidentiality.
Routines have been established for handling breaches of information security and routines, and we will, if there are breaches that pose a risk to personal data, notify the supervisory authority (Datatilsynet) as soon as possible and no later than 72 hours after the breach is discovered. If the breach entails a high probability of the privacy of the data subjects affected by the breach, they will also be notified.
9. Your rights when we process personal data about you
You will find a description of your rights when we process your personal data below. To exercise your rights, you must contact us, see contact information above, or otherwise, if it follows below.
We strive to respond to your inquiry as soon as possible and within one month. If it takes longer than one month, you will be notified.
In some cases, we will request you to confirm your identity or provide additional information before you can exercise your rights to make sure that we only give access to your data to you - and not someone who pretends to be you.
9.1 Information
You have the right to get information about the personal data we process about you. Through this policy, you get information on the processing of personal data. You can also contact us if you want more information.
9.2 Access to your personal data
You have the right to request access to the personal data we processed about you. Contact us if you want such access.
If you request it, you will also receive a copy of the personal data we process about you. We may ask you to specify which data you wish to receive a copy of to make the release easier for us. Upon providing a copy of your personal data, we may require you to identify yourself to ensure we do not disclose personal data to unauthorized persons. The information about you will be sent in digital form unless you request it to be transferred in another manner.
9.3 Correction and deletion
You can also ask us to correct or delete any personal data. We will accommodate a request to delete personal data as far as possible, but we cannot do this if the data is necessary.
9.4 Processing based on your consent
If we process personal data based on your consent, you can withdraw the consent at any time. The easiest way to withdraw your consent is as informed to you when you give your consent or to contact us.
9.5 Right to protest or restrict the processing
You have the right to have your processing restricted or stopped in certain cases, see further in GDPR Article 21.
Where our processing is based on legitimate interests, you can object to processing your personal data. If you object, we shall cease the relevant processing unless there are compelling legitimate grounds for continuing the processing.
You may also object to processing personal data concerning you for marketing purposes, including profiling, to the extent that it is related to such direct marketing, as per GDPR Article 22 (2).
9.6 The right to data portability
For personal data that you have provided to us, which is necessary to carry out an agreement with us, and which is processed automatically (i.e. not manually by us), you can request that the personal data be disclosed or transferred to another provider in a structured, commonly used and machine-readable format (data portability).
9.7 Automated processing, including profiling
There will be no automated processing, including profiling, based on your personal data that may have legal effects or significantly affect those to whom personal data applies. See GDPR Article 22 no. 1 and 4.
9.8 Right to be notified
If a data breach occurs, i.e., a breach of personal data security that would pose a high risk to your privacy, we will notify you without undue delay.
10. Complaints
If you suspect that our processing of personal data is not in accordance with what we have described here or that we, in other ways, violate the privacy legislation. In that case, you can complain to the Norwegian Data Protection Authority. However, we ask you to contact us first to correct the matter as soon as possible.
You will find information about your rights and how to contact the Norwegian Data Protection Authority on the website: www.datatilsynet.no.
11. Amendments
Should our services or regulations on the processing of personal data change, the information you have provided here may change. If we have your contact information, we will inform you of these changes. The updated privacy notice is readily available on our website.