Data privacy.

Data privacy policy for Agenda Risk

This privacy policy provides information on how Agenda Risk AS (hereafter referred to as “Agenda Risk”) collects and handles personal data as part of our operations.

Agenda Risk, represented by the managing director, is the data controller for the processing of personal data in the company.

This statement contains information that you are entitled to when information is collected from our website or through other channels such as social and digital media, and general information on how we process personal data. This includes general customer data processing, employee-related data, and various forms of advisory assignments.

PROCESSING OF PERSONAL DATA ON WWW.AGENDARISK.NO

The managing director holds the daily responsibility for Agenda Risk’s processing of personal data on agendarisk.no and other processing activities as specified above, unless otherwise stated. Visitors to the website are not obligated to provide personal information when using the services we offer, such as receiving newsletters.

The legal basis for processing is consent from the individual, unless otherwise specified.

Information collected in connection with website operation is stored on dedicated servers managed by the provider. Only Agenda Risk has access to the information collected.

WEB STATISTICS

Agenda Risk collects information about visitors to agendarisk.no. The purpose of this is to generate statistics used to improve and further develop the information offering on the website. Examples of what the statistics answer include the number of visitors to different pages, the duration of visits, the websites users come from, and the browsers used.

The information is processed in a non-identifiable and aggregated form. Non-identifiable means that we cannot trace the collected information back to individual users.

We use Wordfence to maintain website security.

We use the Google Analytics analysis tool on our website. Information from this tool is not disclosed from Agenda Risk to other parties.

COOKIES

Cookies are small text files placed on your computer when you download a webpage.

Storing and processing of this information is not permitted unless the user has been informed about and has given consent for the processing. Users should be informed and approve of the information being processed, the purpose of processing, and who processes the information, as per the Law on Electronic Communication (ekomloven).

Cookies are placed on your computer if you visit Agenda Risk from Google, Facebook, Twitter, or LinkedIn. This enables us to identify the source of your visit and display information to you on the respective platforms.

Managing cookies (nettvett.no)

SHARING POSTS ON WWW.AGENDARISK.NO

When you share posts on a social platform, the information is usually stored by the platform you use. How the platform handles the data further is governed by your agreement with that platform. Information about you sharing a post is not stored by us.

NEWSLETTERS

Agenda Risk may send out newsletters regularly via email. To receive these emails, you need to provide an email address. The email address is stored in a dedicated database, is not shared with others, and is deleted if you unsubscribe from the newsletter.

CONTACT FORM

Through Agenda Risk’s website, you can submit inquiries similar to sending emails. The information registered goes directly into our email system and is both answered and processed from there. Our email system procedures are further described in the document.

SOCIAL MEDIA

Through social media, Agenda Risk occasionally gathers individuals interested in our campaigns. This could be related to job vacancies, targeted marketing, or other activities. These may include voluntarily registered names, phone numbers, email addresses, and questions related to the campaign. The administrator for each social media platform may have access to this information, limited to the period the social media platform can lawfully retain it.

CUSTOMER INFORMATION

Agenda Risk employees have access to information about businesses and contacts at customers as well as potential new customers with whom we have had dialogues. This access is based on a “need-to-know” principle and aims to provide the best possible service to customers. Only the managing director has access to important settings related to system administration. In response to requests for insight, personal data will be provided according to the Personal Data Act. Agenda Risk uses the CRM system Pipedrive.com.

PROCESSING OF PERSONAL DATA IN SERVICE DELIVERIES

Agenda Risk provides various advisory services. Some assignments may involve the processing of personal data, while others may not involve the processing of personal data beyond what is specified in the privacy policy’s section on processing customer information.

For assignments that inherently involve processing personal data, Agenda Risk may in some cases have the role of data controller, and in other cases the role of data processor.

For each individual assignment, we will independently assess whether Agenda Risk is considered a data controller or data processor.

In certain internal audits, data investigations, or similar assignments, Agenda Risk may be considered a data controller. The legal basis for processing in such cases will normally be Article 6, letter f, of the General Data Protection Regulation (Personvernforordningen).

The above assignments may involve the processing of special categories of personal data (commonly referred to as sensitive personal data). When gathering and processing personal data in such assignments, those affected will usually receive specific information regarding this, including more detailed information about the data subject’s rights, related to the specific assignment.

For most other assignments, Agenda Risk will act as a data processor, and the processing of personal data will be regulated by a data processing agreement, usually between the customer as the data controller and Agenda Risk as the data processor.

In such cases, the data processing agreement will be based on the template published by the Data Protection Authority (Datatilsynet), adjusted as necessary based on the service to be provided and other relevant factors.

SHARING INFORMATION

Agenda Risk may share certain personal data with:

• Third-party service providers who process personal data on behalf of Agenda Risk, such as for managing and operating our data, email systems, and accounting system, in addition to administering specific services and functions. Agenda Risk uses an external provider as a service provider for IT services and an external accounting system.
• Other third parties to the extent necessary to: (i) comply with requests from public authorities, a court order, or to comply with applicable laws; (ii) prevent illegal use of our websites or violations of our website terms and our policies; (iii) protect us against third-party claims; and (iv) assist with fraud prevention or investigation of fraud (such as forgery).

We may also transfer your personal data that we possess if we transfer all or part of our business or assets (including in the event of a reorganisation, split, dissolution, or liquidation).

PROTECTION AND MANAGEMENT OF YOUR PERSONAL DATA

Encryption and security: We use a variety of technical and organisational security measures, including encryption and authentication tools, to safeguard the security of your personal data. Your personal data is stored behind secure networks accessible only by a limited number of individuals with specific access rights.

International transfers of personal data: The personal data we collect and process on our websites will be stored in the EU/EEA.

We will not transfer personal data to countries outside the EU/EEA unless this is approved in writing by the data controller.

If personal data is to be transferred outside the EU/EEA, we will take measures to comply with the legal requirements that apply and ensure a satisfactory level of protection.

Storage of your information:
We will only store your personal data for as long as we deem necessary to fulfil the purpose of collection, unless otherwise required by law. Upon request, you have the right to inquire whether we process information related to your person.

Your rights related to your personal data:

You have the right to withdraw your consent to the use of your personal data. You also have the right to access your information and to request changes and/or corrections, restrictions on use, and deletion to the extent permitted by law. You can also request that personal data about you processed by us be transferred to another data controller if this is technically feasible. The right of access includes the right to request a copy of your personal data processed by us in a commonly used format. You can contact us to exercise your right to access, change, correct, or delete your personal data, or to object to the processing of your personal data using the contact information at the bottom of the page or by sending an email to post@agendarisk.no.

EMAIL AND PHONE

Agenda Risk and its employees use email and phone as part of daily work in general dialogue with internal and external contacts. Individuals are responsible for deleting messages that are no longer relevant and for reviewing and deleting unnecessary content in their email boxes at least once a year. When employees leave, their email accounts are deleted, but some relevant emails will usually be transferred to colleagues. Sensitive personal data should not be sent via email.

Please note that regular email is unencrypted. Therefore, we advise against sending confidential, sensitive, or other confidential information via email.

Employees have an overview of the latest calls on their phones. No other systematic registration of phone calls where the caller can be identified is performed.

EMPLOYEE INFORMATION

Agenda Risk processes personal data about its employees to manage payroll and personnel responsibilities. The legal basis follows from the Personal Data Act. The managing director is responsible for this. Necessary information for salary payment, such as basic data, salary level, time recording, tax percentage, tax municipality, and union affiliation, is registered. Other information about employees is related to their job description and adaptation of and for their work.

Deletion procedures for personnel information follow the Accounting Act (Regnskapsloven).

All job applications are stored in our electronic archive for about 12 months before they are shredded. Personnel files are cleared and archived when employment ends.

In connection with the recruitment of employees to Agenda Risk, background checks of job seekers will be conducted. Given the type of services that will be provided by Agenda Risk, specific requirements are set for each job seeker. The background checks that may be conducted will not aim to collect information subject to such “prohibitions” in the Gender Equality and Anti-Discrimination Act (Likestillings- og diskrimneringsloven) or the Working Environment Act (Arbeidsmiljøloven). For job seekers, an initial background check will be conducted through open sources, such as Google and media databases, without explicit notification to the individual in advance of the investigation. Personal data from any such surveys will not be stored or systematised by Agenda Risk. If more comprehensive investigations are to be conducted, for example, in connection with a job seeker being considered for a position at Agenda Risk, the individual will be informed in advance, including consent to such collection and storage of personal data.

An interest assessment has been made between Agenda Risk’s legitimate business interests and the job seeker’s right to privacy.

Everyone who asks is entitled to basic information about the processing of personal data in a company under the General Data Protection Regulation (Personvernforordningen). Those registered in one of Agenda Risk’s systems have the right to access their own information. The person also has the right to request that incorrect, incomplete, or insufficient information be corrected, deleted, or supplemented. Requests from the registered person should be answered free of charge and within 30 days at the latest.

RIGHT TO COMPLAIN

If you believe we are processing personal data about you incorrectly, differently than stated here, or otherwise in violation of relevant privacy legislation, please contact us at post@agendarisk.no. You also have the right to complain to a supervisory authority. In Norway, this is the Data Protection Authority (Datatilsynet).