Privacy Polic

Effective for FAVER AS – 20.7.2018.

We may make minor changes to this privacy policy. You will always find the latest version on our website. In the event of significant changes, we will notify you of this.

1. Data Controller FaVer AS (FaVer) processes personal data in its business within tactical/technical investigation and examination.

When FaVer carries out investigation and examination assignments on behalf of business customers, we are generally the data processor, and our client is the data controller, cf. EU Regulation No. 2016/679 (GDPR) Article 4 Nos. 7 and 8. FaVer then processes personal data according to instructions from the data controller and in accordance with the applicable data processing agreement. The data controller should be identified in the correspondence with you.

When FaVer carries out assignments on behalf of a private customer, we are the data controller, cf. GDPR Article 4 No. 7. We are also the data controller for the processing of personal data in connection with the administration of business customers, partners, marketing, and internal employees/staff.

Contact information: FaVer AS, c/o Managing Director Stein Naustdal, P.O. Box 1228 Vika, 0113 Oslo. Organization number: 997 329 694.

2. Whom We Process Personal Data About

This privacy policy is directed towards our processing of personal data about the following individuals:

• Private customers
• Contact persons at our business customers
• Contact persons at our suppliers and partners
• Individuals involved in cases we investigate
• Other individuals mentioned in case documents we access
• Visitors to our website and our office premises

3. Purpose, Types of Personal Data, and Legal Basis

Below is an overview of the purposes for which we process personal data, the types of personal data we process, and the legal basis for the processing.

3.1 Establishment of Customer Relationships

We process personal data about private customers in the form of name, postal address, postal code/city, telephone/mobile phone number, and email address. The legal basis follows from GDPR Article 6(1)(b) (to fulfill an agreement with the customer). For assignments for business customers, it is necessary to process personal data about contact persons at the customer. The processing concerns information about the names of contact persons, telephone/mobile phone numbers, and email addresses. The legal basis follows from GDPR Article 6(1)(f) (to safeguard a legitimate interest).

3.2 Case Handling and Information About Individuals Involved in the Case

In the investigation work, we will process personal data that is relevant to the case and the circumstances to be investigated or examined. This will typically be information about factual circumstances that are significant for assessing and deciding the case and the circumstances that the client wants clarified. The types of personal data that are relevant and necessary to process will vary from case to case and will depend on the type of case. When FaVer carries out investigation and examination assignments on behalf of business customers, for example, on behalf of an insurance company, we process personal data on behalf of the insurance company. The purpose of the processing and the data to be processed depend on the client's (the data controller's) legal basis and purpose. Some assignments involve us accessing personal data about parties or other individuals affected by the case to be investigated. Such information may appear in documents the customer sends or other correspondence in the case. This may, for example, concern personal data about claimants, opposing parties, contract parties, witnesses, contact persons at the business customer, and other individuals connected to the case. The legal basis for processing personal data concerning a private customer follows from GDPR Article 6(1)(b) (to fulfill an agreement with the customer). The legal basis for processing personal data about other individuals covered by the investigation follows from GDPR Article 6(1)(f) (to safeguard a legitimate interest). Individuals who may be covered by the investigation must generally consent to our processing of their personal data, cf. GDPR Article 6(1)(a). To establish, exercise, or defend a legal claim, it may be necessary in some cases to process special categories of personal data, including health information, information about trade union membership, criminal offenses/violations of the law. The legal basis for such processing follows from GDPR Article 9(2)(f) and the Personal Data Act § 11 (new law in 2018). Individuals who may be covered by the investigation must generally consent to our processing of their personal data, cf. GDPR Article 9(2)(a).

3.3 Customer Administration

Cases handled for customers are registered in our case management system. Here, all case documents are stored, and the time spent and costs incurred are recorded. The time spent and costs incurred form the basis for invoicing and settlement of our fees. When registering time and invoicing, information that can identify the case with the customer, such as case number, case name, and the name of the contact person at the business customer, will be processed. The legal basis for the processing follows from GDPR Article 6(1)(b) (to fulfill an agreement with the customer). For business customers, the legal basis follows from GDPR Article 6(1)(f) (to safeguard a legitimate interest).

3.4 Storage/Retention of Case Documents

All case documents are stored/retained securely and are subject to strict access control. Case documents will be stored for up to two months after the assignment is completed. The legal basis for the processing follows from GDPR Article 6(1)(f) (to safeguard a legitimate interest), GDPR Article 9(2)(f), or GDPR Article 17(3)(b) (to establish, exercise, or defend legal claims), and the Personal Data Act § 11 (new law in 2018).

3.5 Detecting and Preventing Financial Crime

Information necessary to meet the requirements given under the Money Laundering Act § 4(2) No. 3, cf. §§ 17 and 18, will be processed. The processing generally includes information about the customer's name, social security number, address, reference to identification, and type of identification. The legal basis for the processing follows from GDPR Article 6(1)(c) (to fulfill a legal obligation).

3.6 Visitors to Our Office Premises

When visiting our office premises, information about the visitor's name, date of the visit, the company the visitor may represent, the name of the employee being visited, the time of arrival, and the time the visitor leaves the premises will be recorded. The information will be stored for two months. The processing is necessary to have control and oversight of visitors to the company's premises, both for the visitor's own safety and to meet the requirements for personal data security, cf. GDPR Article 32. The legal basis for the processing follows from GDPR Article 6(1)(f) (to safeguard a legitimate interest) and GDPR Article 6(1)(c) (to fulfill a legal obligation).

3.7 IT Operations and Security

Personal data stored in our IT systems will be accessible to our suppliers in connection with system updates, implementation or follow-up of security measures, error correction, or other maintenance. The legal basis for the processing follows from GDPR Article 6(1)(f) (balancing of interests, cf. our legitimate interest related to the mentioned activities) and our legal obligation to have satisfactory information security, cf. GDPR Articles 32 and 6(1)(c) (to fulfill a legal obligation).

3.8 Contact Persons at Our Suppliers and Partners

We process personal data about contact persons at our suppliers and partners. The processing concerns information about the names of contact persons, title/position, telephone/mobile phone number, and email address. The processing is necessary to follow up on agreements and cooperation with our connections. The legal basis follows from GDPR Article 6(1)(f) (to safeguard a legitimate interest).

3.9 Markedsføring, kursvirksomhet og utsendelse av nyhetsbrev

Vi bruker vår hjemmeside Faver.no til markedsføring av firmaets tjenester.
Ved oppslag på hjemmesiden brukes informasjonskapsler. For publiseringsløsningen, FaVer session (er sesjons-avhengig, slettes når nettleseren lukkes). For å huske din aksept av bruk av informasjonskapsler: cookie notice_accepted (lagres i 1 år)

Rettslig grunnlag for behandlingen følger av GDPR artikkel 6 nr. 1 bokstav a (samtykke).

4. Whom We Share Personal Data

We use subcontractors for the storage, operation, and maintenance of the company's information and communication technology. All personal data is stored externally with our IT supplier. Personal data stored in the IT systems will be accessible to our suppliers in connection with operation, system updates, implementation or follow-up of security measures, error correction, or other maintenance. The suppliers act in accordance with the data processing agreement and under our instructions in accordance with GDPR Article 28. All employees at FaVer are subject to strict confidentiality. All information entrusted to us in connection with an assignment is handled confidentially. We do not disclose personal data in other cases or in ways other than those described in this privacy policy unless the customer explicitly requests or consents to this, or the disclosure is required by law.

5. How Long Personal Data is Stored

Personal data processed by us will be stored as long as necessary to fulfill the purpose of the processing. The data may be stored for a longer period if permitted or required by law. Here is an overview of how long we store personal data:

• Customer data and information about contact persons at business customers are stored as long as the customer relationship lasts, and for up to 10 years after the customer relationship has ended.
• Case documents, personal data in case handling, and personal data about the opposing party and other third parties are stored for up to two months after the assignment is completed.
• Data processed to detect and prevent financial crime is stored for five years after the customer relationship has ended or the transaction has been completed, unless longer periods are required by law or regulation. The documents and data will be deleted within one year after the retention obligation has ended.
• Data about visitors to our premises is stored for two months.
• Data about contact persons at our suppliers and partners is stored as long as necessary for the contractual relationship/cooperation, and for up to 10 years after the end of the agreement/cooperation.
• Personal data in connection with marketing, see section 3.9. Accounting legislation otherwise requires us to store certain accounting documents for a specified period. When a specific purpose requires storage for a given period, we ensure that the personal data is used exclusively for the relevant purpose during this period.

6. Your Rights

Under current privacy regulations (GDPR Chapter 3), you have rights that may apply when personal data about you is processed. Your rights may be limited by rules in the GDPR, the Personal Data Act, other legal provisions, or due to other circumstances. If you wish to exercise your rights, you can contact us or the financial institution/insurance company that is our client.

6.1 Withdrawing Consent

If the processing by us is based on your consent, you can withdraw your consent at any time. The decision to withdraw consent does not affect the legality of the processing carried out before the consent is withdrawn. Withdrawal of consent also does not affect data that can be processed under another legal basis.

6.2 Access and Information About the Processing

You can request information about the purpose of the processing, the category of personal data registered, who has received or been provided with the data, how long the data is expected to be stored, and information about the source of the data if obtained from others. You can also request a copy of the personal data processed about you. To ensure that personal data is disclosed to the correct person, we may require that the request for access be made in writing or that identity is verified in another way. Limitations on your right to access and information follow from GDPR Article 14(5) and the Personal Data Act § 16. The right does not apply to data that must be kept confidential for the prevention, investigation, detection, and prosecution of criminal offenses. The right to access and information also does not apply to data that is subject to confidentiality by law or under the law. Exceptions to the information obligation also apply if providing the information is impossible or would involve a disproportionate effort.

6.3 Correction or Deletion

You can ask us to correct incorrect information we have about you or ask us to delete personal data. The data cannot be deleted if the processing is necessary to fulfill an agreement with you as a customer or if the processing has another legal basis.

6.4 Data Portability

In some cases, you may have access to obtain personal data you have provided to us to have it transferred in a machine-readable format. If technically possible, it may be possible in some cases to have this data transferred directly to the other company.

6.5 Objecting to the Processing

You can object to the processing of personal data where the processing is based on consent or is based on a balancing of interests, cf. GDPR Article 6(1)(f).

6.6 Complaints to the Supervisory Authority

If you believe that we are processing your personal data in violation of applicable privacy regulations or that your rights under the privacy regulations are being violated, you can send a written complaint to the Data Protection Authority, P.O. Box 8177 Dep., 0152 Oslo. The Data Protection Authority's decisions can be appealed to the Privacy Appeals Board. We have appointed a Data Protection Officer. Before you possibly complain to the Data Protection Authority, you can first send a written inquiry to our Data Protection Officer. See section 8.

7. Security

We have established procedures to handle personal data securely. The measures are both technical and organizational. We regularly assess the security of all central systems used for handling personal data, and agreements have been made that require suppliers of such systems to ensure satisfactory information security. Access to personal data (and customer/case information) is limited to personnel who need access to perform their tasks. We have adopted internal IT guidelines, and we regularly train employees regarding security and the use of IT systems.

8. Data Protection Officer

Vi har oppnevnt advokat Erik Fjeldstad som personvernombud. Du kan ta kontakt med ham angående spørsmål om behandling av dine personopplysninger hos oss. Ombudet kan også svare på spørsmål om dine personvernrettigheter etter gjeldende personvernregler.

We have appointed lawyer Erik Fjeldstad as the Data Protection Officer. You can contact him regarding questions about the processing of your personal data with us. The officer can also answer questions about your privacy rights under applicable privacy regulations.

Contact information for our Data Protection Officer: Partner/lawyer Erik Fjeldstad, Law Firm Kogstad Lunde & Co DA, P.O. Box 1360 Vika, 0113 Oslo. Email: ef@klco.no