Sicra will process personal data as part of our business. We are committed to processing personal data safely, reassuringly, and trustworthy.
Our processing as the controller of personal data is based on our activities and the purpose of our business, which is to provide services in the areas of cloud, cyber security, automatization, analysis, IT projects, and other related services.
Below is information about the personal data we process about you, the legal basis for the processing, the purpose of the processing, how long we process the personal data, etc.
We may also process personal data in other ways, as mentioned below, but we will inform you of the personal data that applies in ways other than through this notice.
We may also act as a data processor for our customers in connection with our services, which means our customers are responsible for processing it. See more about this below.
If you have questions about the processing of your personal data, you can contact us, see our contact details below.
Sicra is responsible for processing personal data described here, i.e. decides why and how the personal data is processed (the data controller). However, this does not apply where we act as a data processor, i.e., processing personal data on behalf of our customers, see Section 5.
Contact details on us as data controller:
Sicra AS
Address: Rosenholm Campus, Rosenholmveien 25, 1414 Trollåsen
Email: firmapost@sicra.no
Phone: +47 64 80 84 88
Entity reg. no.: 932 538 067
Sicra AS is also the contact for processing personal data in other companies in the group of companies of which it is part.
We collect and use your personal data for different purposes depending on who you are and how we contact you.
All processing of personal data will be in accordance with this Privacy Notice and the privacy regulations in force at any given time, including the local privacy regulation and the General Data Protection Regulation (GDPR).
Personal data is any information about a physical person that can be identified directly or indirectly (the latter are called “data subjects”).
Processing personal data is any activity performed with personal data, for example, collection, recording, organising, structuring, storing, adapting, altering, transmitting, or deleting.
If we are a data processor, i.e., we process personal data on behalf of others (the data controller). You may request information about the processing from the data controller. You can still contact us about processing your personal data, and we will refer you to the data controller. See also below about our role as a data processor.
Below are the processing activities we carry out as the data controller in our business.
We process personal data about those who contact us to answer and document the communication and contact others not covered by the processing elsewhere in the Privacy Notice, which applies to all forms of communication, physical and digital, written and oral.
In such cases, we process the name, telephone number, email address and any personal data that may result from the communication, including history/logs about the inquiry.
All information entered into contact forms on our website is securely stored, and the entire website is further secured through our SSL certificate. The information is used exclusively for the purpose stated upon submission. All data from contact forms that is not specifically used is also automatically deleted after 30 days.
The processing is based on what we consider a necessary legitimate interest related to the above (see GDPR Article 6(1)(f). Our legitimate interest is to contact others as part of our business, document our business, reply to those who contact us, and register such contacts. We have assessed that this is necessary to handle inquiries we receive and that the data subjects’ privacy does not override these interests.
Providing us with personal data is voluntary, but it will be necessary to answer inquiries.
We process the personal data until we expect that the contract will not be further followed up.
We use email as a communication solution and other business solutions, such as document storage, cooperation solutions, etc., that will contain personal data.
We also process customer relationship data, including form submissions, chatbot interactions, communications, preferences, interactions, your preferences and interactions with our marketing emails and advertisements (including email opens and link clicks).
The processing is based on that we consider having a necessary legitimate interest in processing personal data via email (see GDPR Article 6( 1 )(f) to have a work tool and communication solution and that the data subjects’ privacy does not override over these interests. Personal data processing depends on the purpose of the email and what is included in it. Emails and other information are deleted when no longer needed, and we have measures to ensure regular deletion.
In some cases, we may be data controller when providing services, especially when we provide some consulting services where we do not process personal data on behalf of our customers. In such cases, we will process personal data depending on the case we provide our services. We will process the name and contact details of our contact with the customer and information related to our service, which will vary from case to case. If you want more information on a specific case in which your personal data may be processed, please contact us.
If you request information or subscribe to our newsletter, we will send information about our products and services, benefits from partners, newsletters, and other information and marketing. We will then process your contact details and any information you provide in this context.
We process personal data to inform you about services and products that may interest you based on your consent (GDPR Article 6( 1 )(a). You can withdraw your consent at any time by using any unsubscribe options in the communications you receive or by contacting us to opt out of direct marketing and/or profiling under GDPR Article 21( 2 ).
We only process personal data, such as the email address and name, to send the newsletter, making the inquiry more personal and ensuring the communication reaches the right person. The email address is not used for any other purposes.
The processing will continue until you have received the requested information or withdrawn your consent. The information will be retained for up to 24 months for form submissions and inquiries through our webpage unless a business relationship is established. Information in our customer relationship management system will be reviewed every 12 months and deleted if no longer needed. Marketing tracking data will be stored for up to 12 months.
We may also send out information about our services and products that do not contain marketing. This will be done regardless of whether you have consented. Personal data will then be processed on the basis that we either fulfil a contract with you as an existing customer (GDPR Article 6( 1 )(b) or based on our legitimate interest in informing our users and contacts about our services (GDPR Article 6( 1 )(f). Alternatively, we may process the information based on your consent (GDPR Article 6( 1 )(a). The purpose of the processing is then to keep you updated about products and services you receive and follow up on purchases of products or services. The processing of personal data will occur as long as you receive our services.
We process personal data about contact persons of existing and potential business customers, suppliers, and other partners to manage our relationship with suppliers and others, prepare, implement, and document services and evaluate the use of services. In these cases, we will process names, contact information, company names and information related to the contact with the company in which the person in question works.
The processing of personal data is based on the necessary processing and legitimate interest in managing our relationships with our customers, partners, and suppliers.
The processing of personal data is based on what we consider a necessary legitimate interest (GDPR Article 6( 1 )(f) to manage the relationship with our customers, partners, and suppliers, and the data subject’s privacy does not override our interest.
We also store and disclose information where we have a legal obligation, for example, under accounting and tax legislation.
We may store information for as long as necessary to document services-related matters.
In many cases, we will need to obtain personal data to enter into agreements with customers and suppliers and, among other things, to document that an agreement has been entered into. We cannot enter into agreements if we do not receive the information we need.
It is voluntary for contact persons to provide us with personal data. If we collect personal data from others, it will mainly apply to contact information (including name, address, telephone number and email address), position, function, employer, and any competence and references where relevant. The source for such information will be the contact person, employer, or something else, such as the employer’s website.
We store personal data until the relationship with the customer, supplier, or partner ceases or until the contact person ceases to be the contact person, with the abovementioned exceptions.
CVs, applications, certificates, and references are processed when recruiting for new positions with us. If the processing takes place through a recruitment solution or on the basis that it is necessary and within our legitimate interest to recruit new employees, the processing in this solution may be based on the consent that you have given or on fulfilling an agreement with the solution provider which you have agreed to when registering in the solution
We may use recruitment services to manage applications, which will be our data processor. If you register with the job search service with your profile, the service will be a data controller responsible for processing, and reference is made to its privacy notice about the processing of personal data in the service. The processing of personal data is based on your consent in the recruitment service (GDPR Article 6( 1 )(a), obtained or the basis set forth below.
The basis for processing personal data when recruiting is that it is necessary to assess potential job seekers before entering into an employment agreement (GDPR Article 6( 1 )(b).
If assessments are made in this regard, such as contacting persons who are not listed as a reference, examining when searching for background, etc., personal data is processed based on our necessary legitimate interest in ensuring that the correct candidate for the position (GDPR Article 6( 1 )(f). For the latter, we have considered that the individual data subject’s privacy does not override our legitimate interest in recruiting new employees. We recommend that you not enter special categories of personal data, such as health, religion, political opinion, union membership, etc., in your application.
If we process special categories of personal data, we will do so based on your consent (GDPR Article 9( 2 )(a)). Consent can be withdrawn at any time, which will not affect the lawfulness of processing personal data before the consent was withdrawn.
If you have not agreed to further storage, information on the service will be deleted as soon as recruitment is done.
For event participants, contact information will be registered and processed, along with which event the person in question is to attend, so that the person in question can identify as registered and the necessary communication can be carried out.
For event participants, contact information will be registered and processed, as well as the event the person attended, so that the person can be identified as a participant and necessary communication and possible invoicing of participation fee can be carried out. Processing of personal data will be based on fulfilling an agreement with the participant (GDPR Article 6( 1 )(b) or if the participants represent a company on the basis that we have assessed that we have a necessary legitimate interest (GDPR Article 6( 1 )(f) by holding events as part of activities. In the latter case, we have considered that our legitimate interest overrides the data subject’s privacy.
If food and/or drinks are served, we may obtain information about food preferences, which can show health and/or religion. This information will only be processed to serve food and/or drinks and deleted immediately after the event. In such cases, the personal data will be processed based on consent.
Images and film may be recorded and used as part of our business. This can include use on websites, in marketing materials, etc. To the extent that images/films are made public, i.e., accessible to multiple persons, consent will be requested for such disclosure if the individuals in question constitute the main subject under Section 104 of the Norwegian Copyright Act (åndsverksloven). If the individuals depicted/filmed are not the primary focus, such as situational photos, images of an audience, etc., no consent will be obtained.
The processing of personal data related to images/films will be based on our legitimate interest in using images/film to show and market our activities (GDPR Article 6(1)(f)), as we consider that this interest outweighs any potential consequences for those depicted. We will only use images and film where it is clear to those depicted that recordings are taking place.
Personal data related to images and films will be processed for as long as necessary to use them. This duration will depend on the purpose of the images/films and may vary accordingly. We will review images/films regularly to determine whether individual videos/films should be deleted or retained.
We have a LinkedIn page and use LinkedIn to have contact with stakeholders and others. We are responsible for processing personal data in this connection with LinkedIn. Personal data will be processed through the page if you publish comments or “like” on our posts, or “like”/follow the page. Our purpose for processing personal data through LinkedIn is to have contact with you who wish to communicate with us or interact on our LinkedIn page in other ways, see also about communication under Section 2.2 above.
We process personal data on LinkedIn based on our legitimate interest in communicating with the outside world through social media and want to process personal data in this context (GDPR Article 6( 1 )(f)). We have considered it so that we must communicate with the outside world and handle inquiries we receive and that the data subject’s privacy does not come before these interests.
The data will be processed as long as postings/comments are available on our page, and you can delete this at any time.
We will use cookies or similar technology to collect information when you visit or interact with our website. We use the information collected to improve the customer experience on websites and services, to adapt and develop the website, and to offer functionality in the services. We also use the information to provide visitors with recommendations and service adjustments that are as relevant to you as possible. This will be given based on visitors’ behaviour, e.g., on services used, links clicked on, or information read, and on the behaviour of other users with similar usage patterns. In addition, cookies are used to provide customised marketing on our websites, in advertising networks, and on social media. As far as practically possible, we try to do this with anonymous information without knowing that the information is specifically linked to each individual visitor.
A cookie is a text file or information that, upon visiting or interacting with a website, is placed in your browser's internal memory or a number/series of numbers that can identify your browser or device using the websites (referred to as cookies below for simplicity's sake). You can prevent us from placing cookies in your browser. Many browsers or devices are set to accept cookies automatically, but you can change the settings so the cookies are not accepted. The disadvantage of disabling cookies in your browser is that web pages will not work optimally. The purpose of most cookies we use is to provide functionality for the services.
We also use tools other than cookies to collect information about your IP address, browser type, operating system, and the date and time of your visit to the website and services. This information is used to analyse trends to make the website and services more user-friendly, but it may also be used for marketing and social media interaction.
We use cookies and similar tracking technologies based on your consent, which you can provide when visiting our website. This consent allows us to store or access information on users’ devices, except in cases where such technology is strictly necessary, as stated in the Norwegian Electronic Communications Act § 3-15.
Personal data collected through cookies that are strictly necessary for the website to function, as well as other functional cookies, statistics, and website customisation, will be processed based on our legitimate interest (GDPR Article 6( 1 )(f)). We have assessed that our interest in processing personal data outweighs the individual user’s privacy concerns. However, we safeguard visitors’ privacy by using the data solely for statistical purposes. In these statistics, it is not possible to identify individual users. The data will be stored as long as necessary for the abovementioned purposes.
For personal data that we collect and process for website personalisation, depending on the type of data collected, as well as for marketing and analysis, including transfers to partners and other third parties such as advertising networks and social media, processing and transfers are based on your consent (GDPR Article 6( 1 )(a)).
Information about which cookies and similar technologies we use on the website, how long they collect data, and who the data is transferred to can be found by accessing the banner/box that appears when you visit the website for the first time or by clicking the icon at the bottom left of the website, where you can also change your cookie preferences and withdraw your consent.
However, we safeguard the privacy of website visitors by only using the information for statistics where individuals are not identified. The information will be processed as long as necessary for the abovementioned purposes.
If we process personal data based on your consent (see above), you can withdraw your consent at any time without affecting the lawfulness of processing before its withdrawal. Contact us if you want to withdraw your consent. Note that if you withdraw your consent, it may still be possible for us to continue processing all or part of the information if there is another basis for the processing.
We keep and store personal data for as long as necessary for the purpose it was collected and delete it under regulations. The length of time we process the individual data types is included above under the specification of the different processes.
When we delete the information included above where the individual processes are discussed, or else the storage period is based on the following criteria:
Whether we have a legal or contractual need to retain the information, as there may be claims directed against us
Whether the information is necessary for our business
Where the basis of processing is consent, when consent is withdrawn.
When we no longer have an ongoing legitimate need to process your personal data, it will be deleted or anonymised as quickly as possible in accordance with applicable law.
In some cases, it may be relevant to anonymise personal data instead of deleting it. Anonymisation removes all data that may identify or potentially identify data subjects (individual persons) from data sets.
This means, for example, that personal data that we process based on your consent will be deleted if you withdraw your consent. Personal data that we process in connection with sales or purchase agreements you have with us is deleted when the agreement is fulfilled. All obligations arising from the contractual relationship are fulfilled, such as legal obligations related to accounting, follow-up of customer-related complaints, etc. Personal data related to our fulfilment of legal obligations is deleted as soon as the legal obligations have been fulfilled, such as the obligation to keep accounts.
Customers who use our services are data controllers for the personal data processed by using the services and are responsible for processing the personal data when using the services. We will then process personal data on behalf of the customer, who is the data processor. A data processor agreement has been entered between the customers and us to regulate our processing of personal data on behalf of the customers.
As our customers are responsible for the processing (the data controller), you must contact our customer to enforce your rights; see below.
This privacy notice also applies to processing personal data about our customers, disclosing and transferring personal data, and security/technical matters. Personal data is deleted depending on when our customers choose to delete it. We will never use information or information from our services without our customers’ instructions or approval.
We send out emails to contact persons for our services and our customers to provide information about the services, such as technical conditions, upgrades, new functionality, etc., in addition to emails that are automatically generated by our services. Recipients of these emails can unsubscribe or inform us they do not want to receive them. See more below.
We will also be the data controller for certain personal data processed in connection with our services, which will include:
System Monitoring, Troubleshooting, etc.
We monitor our systems for errors and problems. Part of these processes involves storing and processing personal data. The legal basis for processing personal data for this purpose is our legitimate interest, as we believe we have a legitimate interest in ensuring that our systems and solutions do not have errors or problems.
Security
We process personal data to protect our solutions and services, users, and ourselves against security breaches, fraud activity, misuse, etc. The legal basis for processing personal data for this purpose is our legitimate interest. We also have duties under the data protection regulations to secure personal data (see GDPR Articles 24 and 32) and obligations towards our customers under the data processing agreement that is entered into with them.
Comply with Legal Obligations
We may be required to process personal data for other legal obligations, such as securing data concerning legal disputes, extradition demands, etc. The legal basis for processing personal data for this purpose is that the processing is necessary to fulfil a legal obligation that rests on us.
Communication to Users
We may send users information about the solution to inform them about its availability, functionality, and other conditions they should be aware of. Such mailings are done based on our legitimate interest in updating users about the solution. You can opt out of mailings, but we recommend not doing this as you may miss important information.
Your Rights
If we are the data processor processing personal data as indicated above, you must contact the data controller to exercise your rights. However, your rights will largely be the same as those listed below. If you contact us, we can also refer you to the data controller if we have this information.
If we are the data controller, find out more about your rights below, and you can contact us to enforce them.
We do not disclose or transfer personal data to others in cases other than those mentioned in this notice unless there is a legal basis for such disclosure/transfer. Examples of such a basis will typically be an agreement with or consent from the data subject or a legal basis that requires us to publish the information. The latter applies to public activities such as tax collection (if necessary), accounting/auditing, and other things we need in our business, such as a bank connection.
We use data processors to process personal data on our behalf. In such cases, we have entered into data processing agreements with the data processors to safeguard your rights and security for your personal data at all stages of the processing.
If it is required by law or there is a suspicion that a crime has been committed in connection with our services, personal data may be disclosed to public authorities, such as the police, in case of an investigation.
If personal data may be subject to transfer to another organisation in connection with a merger, financing, reorganisation or dissolution transaction of all or part of us, we will only do so if the parties involved have entered into an agreement where the collection, use and sharing of personal data is limited to the purposes of the transaction, including a provision as to whether or not the transaction will proceed, and the personal data shall only be used by the parties involved to complete and complete the transaction. If another company buys our business or assets, this company will have access to the personal data we collect and will assume the rights and obligations regarding your personal data as described in this privacy notice.
It is an objective that all processing of personal data shall be carried out within the EEA, but we may use suppliers or process personal data outside the EEA. In such cases, transfer and processing outside the EEA will take place in countries approved by the EU Commission or under a valid legal basis for the transfer of personal data under GDPR Chapter V. If transfer to countries approved by the EU Commission does not take place, the transfer will only take place after guarantees set out in GDPR Article 46( 2 ). You can get information on the lawful basis used for the transfer if you contact us.
Our website may contain links to other websites or third parties offering products or services and sites not under our control. These links are provided only as an opportunity for users to obtain more information. Websites not part of ours, i.e., not under the addresses sicra.no, will process personal data as the data controller and may have separate and independent privacy notices. We have no responsibility for the content and activities of these websites.
We prioritise the security of personal data in our business and will implement all required technical and organisational measures to secure your personal data. If possible, all processing will be encrypted and unavailable to anyone other than those needing personal data to perform their tasks (“need-to-know”).
We ensure that personal data is correct, accessible, and handled according to its degree of sensitivity. We also use various security technologies and information security procedures to protect your personal data from unauthorised access, use, or disclosure. Where necessary, risk assessments are carried out.
We have entered into data processor agreements with all our suppliers who process personal data, where they assume the same degree of security as we ensure in processing personal data.
We restrict access to personal data to staff or third parties who process it on our behalf. These parties are subject to a duty of confidentiality.
Routines have been established for handling breaches of information security and routines, and we will, if there are breaches that pose a risk to personal data, notify the supervisory authority (Datatilsynet) as soon as possible and no later than 72 hours after the breach is discovered. If the breach entails a high probability of the privacy of the data subjects affected by the breach, they will also be notified.
Below is a description of your rights when we process your personal data. To exercise your rights, you must contact us, see contact information above, or otherwise, if it follows below.
We strive to respond to your inquiry as soon as possible and within one month. If it takes longer than one month, you will be notified.
In some cases, we will request you to confirm your identity or provide additional information before you can exercise your rights to make sure that we only give access to your personal data to you - and not someone who pretends to be you.
Your rights set forth below apply where we are responsible for processing them. If we are a data processor for our customers, and you use services from one of our customers, the customer is responsible for the processing of personal data (the data controller). You must then contact the one from whom you receive the services to exercise your rights related to processing your personal data. Your rights will then essentially be as described below.
You have the right to information about the personal data we process about you. This policy provides information on the processing of personal data. You can also contact us if you want more information.
You have the right to request access to the personal data we processed about you. Contact us if you want such access.
If you request it, you will also receive a copy of the personal data we process about you. We may ask you to specify which data you wish to receive a copy of to make the release easier for us. Upon providing a copy of your personal data, we may require you to identify yourself to ensure we do not disclose personal data to unauthorised persons. The information about you will be sent in digital form unless you request it to be transferred in another manner.
You can ask us to correct or delete personal data. We will, as far as possible, accommodate a request to delete personal data, but we cannot do this if the data is necessary for us.
If we process personal data based on your consent, you can withdraw the consent at any time. The easiest way to withdraw your consent is as informed to you when you give your consent or to contact us.
You have the right to have your processing restricted or stopped in certain cases, see further in GDPR Article 21.
Where our processing is based on legitimate interests, you can object to processing your personal data. If you object, we shall cease the relevant processing unless there are compelling legitimate grounds for continuing the processing.
You may also object to processing personal data concerning you for marketing purposes, including profiling, to the extent that it is related to such direct marketing, as per GDPR Article 22( 2 ).
For personal data that you have provided to us, which is necessary to carry out an agreement with us, and which is processed automatically (i.e. not manually by us), you can request that the personal data be disclosed or transferred to another provider in a structured, commonly used and machine-readable format (data portability).
There will be no automated processing, including profiling, based on your personal data that may have legal effects or significantly affect those to whom personal data applies. See GDPR Article 22( 1 ) and ( 4 ).
If a data breach occurs, i.e., a breach of personal data security that would pose a high risk to your privacy, we will notify you without undue delay.
If you suspect that our processing of personal data is not in accordance with what we have described here or that we, in other ways, violate the privacy legislation. In that case, you can complain to the Norwegian Data Protection Authority. However, we ask you to contact us so we can correct the matter immediately.
You will find information about your rights and how to contact the Norwegian Data Protection Authority on the website: www.datatilsynet.no.
Should our services or regulations on processing personal data change, the information you provided here may change. The updated privacy notice is readily available on our website.