Part 1 – General part of the privacy policy

1. Introduction

Personal data are pieces of information that can be linked to you personally. This includes your name and contact information, but also many other types of information that can be directly linked to you. It is important to Oslofjord Convention Center AS (hereinafter referred to as ‘Oslofjord’) that you are aware of what personal data we process, so that you can safeguard your rights pursuant to the data protection legislation.

We will update this privacy statement regularly to accommodate changes in our processing, any changes to the website, changes to statutory requirements or other changes. Information about any major changes will be provided on our website oslofjord.com.

2. Processing responsibility

Oslofjord is the data controller for all processing of personal data where we decide the purpose of the processing of the data and the means we use for the processing. In this privacy statement, you can read more about the types of processing for which Oslofjord is the data controller.

If you have any questions about this privacy statement or the assessments we have made, feel free to contact us at gdpr@oslofjord.com.

For more information about key concepts in the Personal Data Act, see the section ‘Definitions’.

3. How we process personal data

Oslofjord provides a number of services to its guests and other parties who come into contact with us. These services are described in the chapter ‘Overview of what data we process’.

When you use one of Oslofjord’s services, we only store the personal data that are necessary to be able to offer you the service in question. We do not use the information you give us for other purposes without obtaining your active consent.

We will never sell your personal data to others, and we erase data we no longer need. For security reasons, personal data are securely stored. When you provide us with your personal data by using one of our services, Oslofjord is responsible for their processing. Our employees have signed a declaration of confidentiality. If we use online services or other companies to carry out part of the job on our behalf, we have data processing agreements in place with these parties that ensure that your personal data are processed in accordance with your rights and the content of this privacy statement.

Under Norwegian law, we are obliged to report certain information to the authorities. If so ordered by a court of law, we are also obliged to give the police access to our systems.

You can find detailed information about the data we store and how we process them in the overview of services in part 2 of this privacy statement.

4. How we collect data

We mainly process data about you if:

• You have made a reservation with us, or someone else has done so on your behalf
• You are registered as a participant in one of our events
• You are registered as a guest who is staying or has stayed with us
• You have registered as a recipient of our newsletters
• You are registered as having rented a suite and/or parking space
• Your vehicle has been registered in our parking system when entering and exiting the premises
• You have registered your vehicle with us to be accredited when entering
• You may be have been identified by means of surveillance cameras when visiting us
• You have given feedback on our services and chosen not to be anonymous
• You have been granted access in our access control system
• You have sent us an enquiry
• You have applied for a job with us

We can also receive data about you from other parties if:

• A non-conformity report contains information about you
• A complaint or notification contains information about you
• A job seeker has listed you as a reference

5. Security measures

Oslofjord has implemented suitable and sufficient security measures to safeguard protection of the individual’s privacy in accordance with the data protection legislation’s requirements relating to data security.

6. Your rights

You can exercise your rights by contacting us (see separate section for contact information). You are entitled to a response without undue delay, and within 30 days at the latest.

6.1 Withdrawal of consent

In cases where the processing of your personal data is based on consent, you can withdraw your consent at any time, for example by contacting us.

6.2 Access to own data

You can request access to see what personal data Oslofjord is processing about you.

6.3 Correction of personal data

You have the right to request that we correct or supplement inaccurate or incomplete information about you. If you have created a user profile with Oslofjord, you can make changes via your profile.

6.4 Erasure of personal data

In certain situations, you have the right to request us to erase information about you. Read more about the right to erasure on the Norwegian Data Protection Authority’s website.

6.5 Other rights

Please contact us if you think that we have registered inaccurate personal data about you, if you wish to object to your personal data being processed or if you have experienced something that you believe is a breach of the data protection regulations. See the ‘Contact us’ section. You can also file a complaint against our processing of personal data with the Data Protection Authority.

7. Contact us

Do you have any questions or wish to contact us? You are entitled to a response to data protection requests, and we will do our utmost to follow you up in a satisfactory manner.

Postal and office address

Org.nr.: 989 945 467
Oslofjord Convention Center AS

Office address: Oslofjordveien 9, 3159 NO-MELSOMVIK

Phone:

+47 33 00 20 00

Email address:

gdpr@oslofjord.com

Del 2 – Overview of what data we process

8. Booking system

What data we store and why

In our booking system, we process the personal data we need for your reservations and purchase of services. These are data we have received directly from you or via an event agency, agent or other third party through which you have directly or indirectly booked some of Oslofjord’s services or products.

Examples of personal data we process include information about your identity, your contact information, your payment information and, in some cases, your passport number. We also process other data you may have provided and that are relevant to your stay with us, such as information about allergies or special requests regarding your stay.

We also use your contact information if we need to contact you after your stay with us, e.g. if you have left any personal belongings behind.

We will also store information about which room you are staying in or have stayed in to fulfil the official requirement that we must be able to produce guest lists.

Our basis for processing personal data for this purpose is Article 6(b), which concerns performance of a contract.

How long will the data be stored?

We process these data for as long as is necessary to fulfil our reservation contract with you, and for as long as required by applicable laws or regulations.

9. Customer surveys

What data we store and why

All our guests will be given the opportunity to provide feedback on our services, such as the quality of the room, overall cleanliness, the food and the overall impression of the stay. We do this to improve and further develop our products and services.

Our basis for processing personal data for this purpose is Article 6(f), which concerns the legitimate interests of the data controller.

How long will the data be stored?

We process these data for as long as we find necessary, but will anonymize the information as soon as practically possible.

10. Newsletters

What data we store and why

If you register for our newsletters or wish to download content from our website, we will store your email address, first name, last name and company name. You will then receive news and offers from us within the limits of the rules regarding existing customer relationships set out in the Marketing Control Act.

You can leave your email address, first name, last name and company name on our website if you wish to get in touch with us, and a member of our staff will contact you.

Our basis for processing personal data for these purposes is Article 6(a), which concerns consent.

You can withdraw your consent at any time and opt out of receiving marketing material on the basis of an existing customer relationship. You can do this when you receive information from us by email. You can also send an email to gdpr@oslofjord.com.

How long will the data be stored?

We process these data for as long as the data subject has not asked to have his/her contact information erased or deregistered from the service.

11. Oslofjord App

What data we store and why

Oslofjord has an app for iOS and Android. The app contains information about your booking(s), ticket(s) and order(s). You can use the app to book activities, order food, download a key to your accommodation unit(s) and as a channel for information from or communication with us.

The personal data used in the app is information obtained from the registration, reservation, booking and ticket systems used by Oslofjord in connection with your stay, or data that you have chosen to share with Oslofjord.

For some events, guests may be asked to register their car’s license number in the Oslofjord app to be able to pass through the main gate. The purpose is to ensure the safety of our guests. The app can also be used by guests who have a parking agreement with Oslofjord.

The Oslofjord app will request the following permissions:

• Access to location data to make it easier for you to find your way around Oslofjord
• Allow push notifications to communicate relevant information and offers

It is up to you whether you wish to consent to the different permissions our app requests. If you decline the permissions, it will affect the functionality of the app.

Oslofjord can use external partners to handle bookings and tickets. If you use one or more of these services, you accept that we share your information with our partners. The information may only be used for this purpose.

Our basis for processing personal data for this purpose is Article 6(b), which concerns performance of a contract.

For services in the Oslofjord app that are voluntary for guests to use, the basis for the processing is the user’s consent, described in Article 6(a).

How long will the data be stored?

Personal data in the Oslofjord app is normally not erased, except at the data subject’s request.

12. Renters of suites and parking spaces

What data we store and why

Oslofjord processes information about you if you have entered into an agreement to rent a suite or parking space, or if you have contacted Oslofjord with a view to entering into such an agreement.

Our basis for processing personal data for this purpose is Article 6(b), which concerns performance of a contract.

How long will the data be stored?

We process these data for as long as is necessary to fulfil our contract with you, and for as long as required by applicable laws or regulations.

13. Video Surveillance

What data we store and why

Oslofjord uses video surveillance to ensure the safety of our guests and employees. The areas covered by video surveillance are clearly signposted.

For some events, the organizer wants to use video surveillance to recognize vehicles based on their license number so that they may pass through the main gate. The purpose is to ensure the safety of our guests.

Our basis for processing personal data for this purpose is Article 6(f), which concerns the legitimate interests of the data controller. The legitimate interest is to actively prevent undesirable incidents.

Article 6(d) may also be used as a basis for processing. This article concerns cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person. The processing may then entail disclosure of recordings to the police in connection with investigation of matters of a criminal nature.

How long will the data be stored?

Video recordings are erased after two weeks.

14. Parking

What data we store and why

Oslofjord uses video surveillance in connection with parking to be able to identify vehicles based on their license number. Visitors who have a parking agreement with Oslofjord and who have registered their license number with Oslofjord will not be charged a parking fee. Other visitors will be charged a parking fee in accordance with the applicable rates. Identification of the license number will form the basis for the invoicing of the fee and any payment follow-up for visitors who do not pay the fee on a payment terminal at Oslofjord.

Oslofjord uses OnePark as its data processor for parking services. The area is clearly signposted with information about the service and alternative means of payment etc.

Our basis for processing personal data for this purpose is Article 6(b), which concerns performance of a contract.

How long will the data be stored?

We process these data for as long as is necessary to fulfil our contract with you, or, if relevant, the payment follow-up has concluded, and for as long as required by applicable laws or regulations.

15. Access control

Oslofjord uses access control to protect assets that belong to us, our employees or our guests.

Our basis for processing personal data for this purpose is Article 6(f), which concerns the legitimate interests of the data controller. The legitimate interest is to actively protect our assets and prevent undesirable incidents.

How long will the data be stored?

This history will be erased after three months.

16. Emails

What data we store and why

We use emails in the performance of our work.

Emails sent to joint email addresses (non-personal) are handled by a ticketing system. Security functions protecting against unauthorized access are used for all receiving and storage of emails.

We recommend that you do not send us sensitive information directly via email. If we need such information in order to process your case, we will request it later.

Our basis for processing personal data for this purpose is legitimate interests (Article 6(f)). The legitimate interest consists of being able to carry out tasks on behalf of / respond to enquiries from customers, guests, renters of suites/parking spaces and others. For these purposes, email history and email addresses must be stored for as long as necessary to be able to process the enquiry.

How long will the data be stored?

Emails we receive are deleted when they are no longer necessary to our day-to-day work. In practice, this means that such emails shall normally not be stored for longer than two years.

17. Jobseekers

What data we store and why

If you apply for a job with Oslofjord, we need to process information about you to be able to consider your application. The recruitment process entails processing the data you provide to us in the documents you send us, including your application, CV, diplomas/certificates, references and test results, as well as video interview recordings if we have asked you to participate in such an interview. In addition to interviews, Oslofjord may also carry out its own investigations, typically by talking to the job seeker’s references.

Our basis for processing personal data for this purpose is legitimate interests (Article 6(f)). The legitimate interest is to be able to have the documentation required to assess the data subject’s application.

How long will the data be stored?

Job applications are stored at Oslofjord and erased within six months. Exceptions to this rule are agreed on a case-to-case basis.

18. Definitions

By data protection is meant statutory protection of your right to privacy and your personal integrity. This includes protection of your right to influence the use and dissemination of personal data about you.

By person is meant a living identified of identifiable natural person.

By personal data is meant information and assessments that can be linked to you as a person. Examples include your name, address, phone number, email address, IP address, vehicle license number, photos and personal ID number (your date of birth and national ID suffix). Information about behavioral patterns are also defined as personal data. Examples include information about what TV shows you watch and your location. Sensitive personal data are information about your racial or ethnic origin, your political opinions, philosophical or religious beliefs, health, sex life and any information that you have been suspected of, charged with, indicted for or convicted of a criminal act, as well as trade union membership.

By processing of personal data is meant any operation performed on personal data, such as collection, recording, structuring, storage and dissemination.

By data controller is meant the entity that is responsible for the processing of personal data and that determines the purposes and means of the processing of personal data.

Personal data may only be processed for specified, explicit and legitimate purposes.

A data processor is the entity which processes personal data on behalf of the data controller.

A data processing agreement is an agreement between the data processor and the data controller about how personal data are to be processed.

By basis for processing is meant the statutory basis for processing personal data. Oslofjord uses one of the following bases for processing:

• the data subject has given consent to the processing of his or her personal data, cf. the General Data Protection Regulation Article 6(1)(a)
• processing is necessary for the performance of a contract to which the data subject is party, cf. the General Data Protection Regulation Article 6(1)(b).
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, cf. the General Data Protection Regulation Article 6(1)(f)

By consent is meant a freely given, specific, informed and unambiguous active statement from you that you accept the processing of the personal data provided. Consent can be withdrawn at any time.

Oslofjord may process personal data if it is necessary for the performance of a contract to which you are a party. The same applies to cases where the processing is necessary to implement measures that you have requested before the agreement was signed.

Oslofjord can process personal data that are necessary for the purpose of pursuing a legitimate interest that overrides the interest of the protection of the data subject’s privacy. Oslofjord only uses this basis for processing if the infringement on your privacy is very slight and if the advantages outweigh the disadvantages.