Privacy Notice

Forte Digital AS and Forte Optimize AS (jointly called «Forte» in the following) will as part of our business process personal data.

We are committed to processing personal data safely, securely, and trustworthy manner. Our processing as the controller of personal data is based on our activities and the purpose of our business. Information about the personal data we process about you, the legal basis for the processing, the purpose of the processing, how long we process the personal data, etc. is included below.

If you have questions about the processing of your personal data, you can contact us, see our contact details below.

RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

Forte Digital AS and Forte Optimize AS are responsible for processing personal data described here, i.e. deciding why and how the personal data is processed (the data controller). Each of the businesses is responsible for the processing in the business, and the information below applies to each of the businesses’ processing unless otherwise stated.

We may also process personal data in other ways mentioned below, but we will inform the personal data that applies in other ways than in this notice.

Contact details on us as data controller:

Forte Digital AS

Email: info@fortedigital.no

Phone: (+47) 22 12 06 56

Entity reg. no.: 919 321 369

WHY AND WHAT KIND OF PERSONAL DATA DO WE COLLECT AND USE

We collect and use your personal data for different purposes depending on who you are and how we get in touch with you.

All processing of personal data will be in accordance with this Privacy Notice, the privacy regulation in force at any given time, including the local privacy regulation and the General Data Protection Regulation (GDPR).

You will find information on the personal data we process about you, the purpose and the legal basis of the processing, how long we process the personal data, etc., in this section.

“Personal data” is any information related to a natural person, such as you.

“Processing” means anything that is done with personal data, such as collection, registration, organisation, structuring, storage, adaptation or change, retrieval, consultation, use, disclosure by transfer, dissemination, or any other form of making available, compilation or alignment, limitation, deletion or destruction.

If we are a data processor, i.e. we process personal data on behalf of others (which is the data controller), you may request information about the processing from the data controller. You can still contact us about processing your personal data, and we will refer you to the data controller. See also below about our role as a data processor.

Communication and contact

We process personal data about those who contact us to answer and document the communication and contact others not covered by the processing elsewhere in the Privacy Notice, which applies to all forms of communication, physical and digital, written, and oral.

In such cases, we process the name, telephone number, email address and any personal data that may result from the communication, including history/logs about the inquiry.

On the website, it is also register for our events and download whitepapers. If you give us data here, we will process personal data about you to the extent necessary for the above-mentioned needs. We review the collected data manually on a periodic basis. Data that is no longer relevant is deleted.

The processing is based on what we consider to have a necessary legitimate interest in processing related to the above (see GDPR Article 6 (1) f). Our legitimate interest is to have contact with others as part of our business and in documenting our business, as well as replying to those who contact us and registering such contact. We have assessed that this is necessary for us to handle inquiries we receive and that the data subjects’ privacy does not override these interests.

It is voluntary to provide us with personal data, but it will be necessary to provide us with the information to answer inquiries.

We process the personal data until we expect that there will be no further follow-up of the contact, typically for one year.

Email

We use email as a communication solution and other business solutions, such as document storage, cooperation solutions etc., that will contain personal data. The processing is based on what we consider having a necessary legitimate interest in processing personal data via email (see GDPR Article 6 (1) f) in order to have a work tool and communication solution so that the data subjects’ privacy does not override over these interests.

The personal data processing depends on the purpose of the email and what is included in it. Emails and other information are deleted when they are no longer needed, and we have measures in place to ensure regular deletion.In practice, this means that such emails are usually not stored longer than approximately one year without a basis for this. The basis for longer storage can be sales processes, existing customer or partner relationships or anything else relevant to our daily work.

Our security solutions also have access to email, but only in technical (machine only) processing.

We ask that personal information is not sent unencrypted by email to us beyond the personal information that is naturally sent in plain text when sending emails. Forte does not allow the receipt of large amounts of data through unencrypted solutions such as email. Contact your contact person if you need to send large amounts of personal data to us.

Information and marketing

If you request information or sign up for our newsletters or are an existing customer, we may send you information about our products and services, products for partners, newsletters and other information and marketing. As a consequence, we will process your name and email address.

The process of personal data is based on your consent (GDPR Article 6 (1) a) or that you are an existing customer with us (based on fulfilling an agreement with you (GDPR Article 6 (1) b). You can withdraw your consent at any time by using the link in the newsletter or contacting us to stop receiving newsletters. Your personal data will then be deleted.

When sending information about the services you use, which do not contain marketing, this will be done regardless of whether you have consented, and the personal information will be processed under GDPR article 6 (1) b by us having to fulfil an agreement with you. The purpose of the processing is to keep you updated about the services you receive.

We only process personal data that enables us to send you information, such as your email address. The email address is not used for anything other than sending out the newsletter. Personal data is processed as long as you receive information.

Business customers, suppliers, partners, etc.

We process personal data about contact persons of existing and potential business customers, suppliers, and other partners to manage our relationship with suppliers and others, prepare, implement, and document services and evaluate the use of services. In these cases, we will process names, contact information, company names and information related to the contact with the company in which the person in question works.

The processing of personal data is based on the necessary processing and legitimate interest in handling the relationship with our customers, partners, and suppliers.

The processing of personal data is based on that we consider to have a necessary legitimate interest (GDPR Article 6 (1) f) to manage the relationship with our customers, partners and suppliers, and that the data subject’s privacy does not override our interest.

We also store and disclose information where we have a legal obligation to do so, for example, under accounting and tax legislation.

We may store information for as long as we believe it may be necessary to document matters relating to services.

In many cases, it will be necessary for us to obtain personal data to enter into agreements with customers and suppliers, among other things, to document that an agreement has been entered into. If we do not receive the information we need, we will not be able to enter into agreements.

It is voluntary for contact persons to provide us with personal data. If we collect personal data from others, it will mainly apply to contact information (including name, address, telephone number and email address), position, function, employer, and any competence and references where relevant. The source for such information will be the contact person, employer, or something else, such as from the employer’s website. In some cases, we obtain references from others to assess the suitability of suppliers and partners.

We store the personal data until the relationship with the customer, supplier or partner ceases or until the contact person is no longer the contact person, with the exceptions mentioned above.

Recruitment

When recruiting for new positions with us, e.g. CV, application, certificates and references are processed. Processing of personal data takes place on the basis of consent that you have given if processing takes place through, e.g. recruitment solution, or on the basis that it is necessary and within our legitimate interest to recruit new employees.

We use the recruitment service Workable to manage applications and will then be our data processor. If you register with the job search service with your own profile, the service will be a data controller responsible for processing, and reference is made to its privacy notice about the processing of personal data in the service. The processing of personal data is based on your consent in the recruitment service (GDPR Article 6 (1) a), obtained or the basis set forth below.

The basis for processing personal data when recruiting is that the processing is necessary to make assessments of possible job seekers prior to entering into a possible employment agreement (GDPR Article 6 (1) b).

If assessments are made in this regard, such as contacting persons who are not listed as a reference, examining when searching for background, etc., personal data is processed on the basis of our necessary legitimate interest in ensuring that the correct candidate for the position (GDPR Article 6 (1) f). For the latter, we have considered that the individual data subject’s privacy does not override our legitimate interest in recruiting new employees. We recommend you not to enter special categories of personal data, such as health, religion, political opinion, union membership, etc., in your application.

Information in the service is deleted as soon as the recruitment is done if you have not agreed to further storage.

Events etc.

For participants in events, contact information will be registered and processed and which event the person in question is to attend so that the person in question can identify as registered and the necessary communication can be carried out.

For participants in events etc., contact information will be registered and processed, as well as which event the person attended so that the person can be identified as a participant and that necessary communication and possible invoicing of participation fee can be carried out. Processing of personal data will be based on fulfilling an agreement with the participant (GDPR Article 6 (1) b), or if the participants represent a company on the basis that we have assessed that we have a necessary legitimate interest (GDPR Article 6 (1) f) by holding events as part of activities. In the latter case, we have considered that our legitimate interest overrides the data subject’s privacy.

In the event that food and/or drinks are served, we may obtain information about preferences on food, which can show the health and/or religion based on the preferences. This information will only be processed for the purpose of serving food/drinks and will be deleted immediately after the event. In such cases, the personal data will be processed on the basis of consent.

Information as mentioned above is stored for a short period after the arrangement so that we can send you any forms for feedback and the like. After that, the information will be anonymised so that we only have data for statistical purposes again.

Camera in intercom

A camera with a microphone is installed at the entrance area on street level with us to ensure that we do not let unauthorised people in. The camera and microphone are activated manually when you ring the doorbell. The image of the entrance area is shown in real-time and does not have the option of recording.

The processing basis for this processing is GDPR Article 6 (1) f, which allows us to process personal data that is necessary to protect a legitimate interest that outweighs consideration of the individual’s interests or privacy rights. Your legitimate interest in securing access to our premises.

Social media

We have contact with stakeholders and others through social media. Among other things, we have established a Facebook page, where we are responsible for processing personal data in this connection with Facebook. Personal data will be processed through the Facebook page if you publish posts on the page, comment on posts, or «like»/follow the page. Our purpose for processing personal data through Facebook is to have contact with you who wish to communicate with us or interact on our Facebook page in other ways, see also about communication under section 2.1.

In this context, your name and link to other information that you have posted on Facebook associated with your name/account on Facebook are processed. In addition, everything you share through posts and comments on our Facebook page and the fact that you have “liked”/followed our website is processed. What you share on the Facebook page is up to you and voluntary.

We ask you not to share personal information in posts or comments on the website, and especially not to share personal information about others, e.g. by «tagging» or mentioning people.

We process personal data on social media, such as Facebook, because we believe we have a legitimate interest in communicating with the outside world through social media and want to process personal data in this context (GDPR Article 6 (1) f). We have considered it so that this is necessary for us to communicate with the outside world and handle inquiries we receive and that the data subject’s privacy does not come before these interests.

The data will be processed as long as postings/comments are available on social media, and you can delete this at any time.

Use of websites, cookies etc.

We will use cookies or similar technology to collect information when you visit or interacts with our website. We use the information collected to improve the customer experience on websites and services, to adapt and develop the website, and to offer functionality in the services. We also use the information to provide visitors with recommendations and service adjustments that are as relevant to you as possible. This will both be given on the basis of visitors’ behaviour, e.g. on the basis of services used, links clicked on, or information read, and on the basis of the behaviour of other users with similar usage patterns.

In addition, cookies are used to provide customised marketing on our websites, in advertising networks and on social media. As far as is practically possible, we try to do this with anonymous information without us knowing that the information is linked specifically to the individual visitor.

A cookie is a text file that, when visiting or interacting with a website, is placed in your browser’s internal memory or a number/number series that can identify your browser or device that uses the website (referred to as cookies below for simplicity).

You have the ability to prevent us from placing cookies in your browser. Many browsers or devices are set to accept cookies automatically, but you can choose to change the settings yourself so that the cookies are not accepted. The disadvantage of disabling cookies in your browser is that the web pages will not work optimally. The reason is that the purpose of most cookies we use is to provide just functionality on the services.

We also use tools other than cookies to obtain information about your IP address, the type of browser you use, your broadband provider, operating system, date and time of visit to the website and services. We use this information to analyse trends so that we can make the website and services more user-friendly.

We use both cookies and other tools to carry out web analysis. To the extent that this information can be used to identify you as an individual, the use will be based on your consent. In cases where the data is anonymous, we do not want to use consent as a processing basis for this processing.

We also use loggers and data from our web server to generate statistics on visits to our websites. The statistics enable us to improve the information on our website. The information contains various variables, such as which page you have visited, what you have searched for on our pages, the date and time of visit, as well as technical information about your device. The web server immediately anonymises the IP addresses of visitors. In practice, it will not be possible to identify the visitors from the remaining parameters. The statistics are therefore anonymous and cannot therefore be linked to you as an individual.

Which cookies are used on the website can be found in the preferences for the cookies you choose, see button at the bottom left of the website.

We process personal data above on the basis of our necessary legitimate interest (GDPR Article 6 (1) f) to adapt the website to our users and that this interest outweighs the individual’s privacy. We will also process information based on the consent you give by using our website (GDPR Article 6 (1) a). Such consent can be withdrawn at any time by using functionality on the website. However, we safeguard the privacy of visitors to the website by only using the information for statistics. In these statistics, it is not possible to identify individuals. The information will be kept as long as it is necessary for the purposes mentioned above.

Retention and deletion of personal data

We keep and store personal data for as long as is necessary for the purpose for which the personal data was collected, and we delete the data under requirements in regulations. How long we process each type of data we process is included above where each processing operation is described.

Instead of deleting the personal data, it may be relevant to anonymise the personal data in some cases. By anonymisation, all data that may identify or potentially identify data subjects (individual persons) are removed from data sets.

This means, for example, that personal data that we process based on your consent will be deleted if you withdraw your consent. Personal data that we process in connection with sales or purchase agreements you have with us is deleted when the agreement is fulfilled, and all obligations arising from the contractual relationship are fulfilled, such as legal obligations related to accounting, and follow-up of the customer-related complaints, etc. Personal data related to our fulfilment of legal obligations is deleted as soon as the legal obligations have been fulfilled, such as the obligation to keep accounts.

Disclosure or transfer of personal data

We do not disclose or transfer personal data to others in cases other than those mentioned in this notice and unless there is a legal basis for such disclosure/transfer. Examples of such a basis will typically be an agreement with or consent from the data subject or a legal basis that requires us to publish the information. The latter applies to public activities such as tax collection (if necessary), accountant/auditor, as well as others that we need in our business as a bank connection.

We use data processors to process personal data on our behalf. In such cases, we have entered into data processing agreements with the data processors to safeguard your rights and security for your personal data at all stages of the processing.

If it is required by law or there is a suspicion that a crime has been committed in connection with the use of our services, personal data may be disclosed to public authorities.

If personal data may be subject to transfer to another organisation in connection with a merger, financing, reorganisation or dissolution transaction of all or part of us, we will only do so if the parties involved have entered into an agreement where the collection, use and sharing of personal data is limited to the purposes of the transaction, including a provision as to whether or not the transaction will proceed, and the personal data shall only be used by the parties involved to complete and complete the transaction. If another company buys our business or assets, this company will have access to the personal data collected by us and will assume the rights and obligations regarding your personal data as described in this privacy notice.

Transfer of personal data to recipients in countries outside the EEA

It is an objective that all processing of personal data shall be carried out within the EEA, but it may be that we use suppliers or process personal data outside the EEA, see above. In such cases, transfer and processing outside the EEA will take place in countries approved by the EU Commission or under a valid legal basis for the transfer of personal data under GDPR Chapter V. If transfer to countries approved by the EU Commission does not take place, the transfer will only take place after guarantees set out in Article 46 (2) of the GDPR. You can get information on the lawful basis used for the transfer if you contact us.

Processing personal data as part of services

Customers who use our services are data controllers for the personal data processed by use of the services and are then responsible for the processing of the personal data processed when using the services. We will then process personal data on behalf of the customer and are then the data processor. A data processor agreement has been entered into between the customers and us to regulate our processing of personal data on behalf of the customers.

Forte Digital primarily uses websites and associated services provided by Hubspot as well as some of the tools we provide. Where we operate ourselves, we also use external consultants. All our suppliers are obliged to work from the EEA, and in cases where data is stored on servers, it is stored on servers within the EEA. The processing is based on agreements between us as subcontractor and the customer as data processor, such processing is based on agreements between us as parties and you are always subject to a separate data processing agreement.

As it is our customers that are then responsible for the processing (data controller), you must contact our customer to enforce your rights, see below.

The information in this privacy notice will also apply to our processing of personal data about our customers’ customers with regard to the disclosure and transfer of personal data and security/technical matters. For deletion of personal data, it depends on when our customer chooses to delete the information. We will never use information or information from our services without this being instructed or approved by our customers.

Security of processing

We prioritize the security of personal data in our business and will implement all required technical and organisational measures to secure your personal data.

We ensure that the personal data is correct, accessible and handled according to the degree of sensitivity of the information. We also use a variety of security technologies and information security procedures to protect your personal data from unauthorised access, use or disclosure. Where necessary, risk assessments are carried out.

We have entered into data processor agreements with all our suppliers who process personal data, where they assume the same degree of security as we ensure in our processing of personal data.

We restrict access to personal data to the staff or third parties who process the personal data on our behalf. These parties are subject to a duty of confidentiality.

Routines have been established for handling breaches of information security and routines, and we will, if there are breaches that pose a risk to personal data, notify the supervisory authority (Datatilsynet) as soon as possible and no later than 72 hours after the breach is discovered. If the breach entails a high probability of the privacy of the data subjects affected by the breach, they will also be notified.

Your rights when we process personal data about you

You will find a description of your rights when we process personal data about you. To exercise your rights, you must contact us, see contact information above, or otherwise, if it follows below.

We strive to respond to your inquiry as soon as possible and no later than 30 days. If it takes longer than 30 days, you will be notified.

In some cases, we will request you to confirm your identity or provide additional information before you can exercise your rights to make sure that we only give access to your personal data to you - and not someone who pretends to be you.

Your rights set forth below apply where we are responsible for the processing. If we are a data processor for our customers, and you use services from one of our customers, the customer is responsible for the processing of personal data (data controller). You must then contact the one you receive the services from in order to exercise your rights related to the processing of your personal data. Your rights will then essentially be as described below.

Information

You have the right to get information about the personal data we process about you. Through this policy, you get information on the processing of personal data. You can also contact us if you want more information.

Access to your personal data

You have the right to request access to the personal data we processed about you. Contact us if you want such access.

Correction and deletion

You can also ask us to correct any personal data or ask us to delete personal data. We will as far as possibly accommodate a request to delete personal data, but we cannot do this if the data is necessary for us.

Processing based on your consent

If we process personal data based on your consent, you can withdraw the consent at any time. The easiest way to withdraw your consent is as informed to you when you give your consent or to contact us.

Right to protest or restrict the processing

You have the right to have your processing restricted or stopped in certain cases, see further in Article 21 of the GDPR.

The right to data portability

For personal data that you have provided to us, which is necessary to carry out an agreement with us, and which is processed automatically (i.e. not manually by us), you can request that the personal data be disclosed or transferred to another provider in a structured, commonly used and machine-readable format (data portability).

Automated processing, including profiling

There will be no automated processing, including profiling, based on your personal data that may have legal effects or that significantly affect those to whom personal data applies. See GDPR Article 22 no. 1 and 4.

Complaints

We use the Norwegian Supervisory Authority (Datatilsynet) in Norway as the leading supervisory authority for cross-border processing under GDPR Article 56. You can therefore direct any complaint to the Norwegian Data Protection Authority.

If you suspect that our processing of personal data is not in accordance with what we have described here or that we, in other ways, violate the privacy legislation. In that case, you can complain to the Norwegian Data Protection Authority. However, we ask you to contact us first to correct the matter as soon as possible.

You will find information about your rights and how to contact the Norwegian Data Protection Authority on the website: www.datatilsynet.no.

Amendments

Should there be a change in our services or changes in the regulations on the processing of personal data, it may change the information you have provided here. Har vi dine kontaktopplysninger, vil vi gjøre deg oppmerksom på disse forandringene. You will find the updated privacy notice readily available on our website.