This Privacy Policy (hereinafter – the Policy) details how the Norway Registers Development AS (hereinafter – the NRD AS) processes personal data and how cookies are used on its website and self-service portal. It also describes the basic rights of a Data Subject which are enshrined in data protection legislation.
This Policy applies to the mutual relations of the NRD AS and persons who use, have used or have expressed the intention to use, or who are in any way associated with, the services and/or activities of the NRD AS.The NRD AS shall ensure the confidentiality of personal data in keeping with the requirements of applicable legislation and the implementation of appropriate technical and organisational measures to protect personal data from unlawful access, disclosure, accidental loss, alteration or destruction, or other unlawful processing. In processing personal data, the NRD AS shall abide by the General Data Protection Regulation, the Law on Legal Protection of Personal Data, and other legal acts regulating this area.
Note that in the future this Policy may be modified in light of changes to legislation or NRD AS activities, hence its periodic review is encouraged.
1. DEFINITIONS
A Personal Data Subject (hereinafter – Data Subject) in the NRD AS is a natural person (who uses, has used or has expressed the intention to use services provided by the NRD AS) or a person associated with such a person (their representative, spouse, partner or the like). Also deemed a Data Subject is a natural person associated with a legal person that is an NRD AS client and/or shareholder.
A Personal Data Controller is a NRD AS (belonging to the UTIB INVL Technology) whose services you use, have used or have expressed the intention of using, or whose shareholder you are or with whose activities you are associated. The list of NRD AS and their contact details are published on the website https://www.nrdcompanies.com/en/contacts/.A Personal Data Processor is a natural or legal person who processes personal data in the name of or on behalf of a Personal Data Controller.
Personal Data is any information relating to a natural person (Data Subject) whose identity is known or can be directly or indirectly established by use of such data as a personal identification number or one or more factors specific to the physical, physiological, psychological, economic, cultural or social identity of that person.Biometric Data is personal data (in this case a Data Subject’s facial image) resulting from specific technical (facial image and identity document) processing, based on which the identity of a Data Subject can be determined and/or confirmed.
Personal Data Processing is any action performed with personal data: collection, recording, storage, classification, grouping, combination, alteration, provision, publication, use, logical and/or arithmetic operations, search, dissemination, destruction, or another action or set of actions.
The General Data Protection Regulation (hereinafter – GDPR) is Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. Other terms used in the Policy are understood as they are defined in the GDPR and other legal acts.
2. CATEGORIES OF PERSONAL DATA
Depending on the services or products which a Data Subject intends to use or does use, NRD AS processes different categories of personal data. Personal data may be obtained directly from a Data Subject, from activities of the Data Subject in using services or NRD AS website, and from external sources such as registers and other third parties (for example, the State Social Insurance Fund Board, registers of debtors and legal persons when the Data Subject is a shareholder, etc.), if NRD AS has the consent of the Data Subject or legal acts authorise that.
If a Data Subject does not agree to provide their personal data, provision of NRD AS services to them may be refused.
If a Data Subject provides NRD AS with data of other persons associated with them, the Data Subject must obtain those persons’ consent and acquaint them with this Policy.
2.1 Main personal data categories
The main categories of personal data include but are not limited to:
- Personal identity data, such as name, surname, personal code, date of birth, and personal identity document data;
- Contact details, such as address, telephone number and e-mail;
- Data regarding education and professional activities;
- Financial data, such as data regarding property, income and obligations;
- Bank account data;
- Financial experience and investment objectives;
- Data related to implementing the Know Your Client principle, such as data regarding the origin of funds, true beneficiaries, country of tax residency, citizenship, and information about a Data Subject’s participation in politics;
- Data about a Data Subject’s loved ones, such as information about close family members’ participation in politics;
- Data related to the provision of services and to the customers’ satisfaction with them, such as data regarding the performance or non-performance of agreements, agreements entered into, agreements which are in effect or have expired, requests submitted, declarations made, and a Data Subject’s feedback regarding services;
- Data collected using means of communication or other technical means, such as video surveillance data, data collected while interacting by telephone or e-mail, and data related to a Data Subject’s visit to NRD AS websites or use of self-service portals (for example, IP address, log-in details, website visit history, etc.).
- Data obtained in fulfilling the requirements of legal acts, such as data obtained through inquiries made by notary publics, tax authorities, courts or debt collectors;
- Data regarding legal representatives (acting under a power of attorney or on some other basis);
- Data regarding ties to legal persons, such as a legal person’s head, shareholder, member of the board or other governance body, true beneficiary, or similar data needed for purposes of executing a transaction in the name of a legal person.
2.2 Special personal data categories. In certain cases the personal data processed by NRD AS may also include special-category personal data:
biometric data obtained in establishing a Data Subject’s personal identity remotely through the direct transmission of a photograph. Such data are processed only after obtaining the consent of the Data Subject and are retained while the Data Subject uses NRD AS services and for a further 8 years after the Data Subject stops using those services.
data related to convictions and criminal offences. Such data are gathered and processed only when and to the extent that it is essential in the conduct of investments and to the extent allowed by legal acts. They are retained during the lifetime of the collective investment undertaking and for no more than 2 years after the end of such period.
NRD AS processes special-category personal data only after obtaining the consent of the Data Subject or if such processing is envisaged in the requirements of the law.
3. PURPOSES AND LEGAL BASIS FOR PROCESSING PERSONAL DATA
The basis for NRD AS’s processing of personal data may be the performance of agreements made with a Data Subject or the intention to enter into an agreement, a Data Subject’s consent to the processing of their personal data for a specific purpose, or the fulfilment of obligations applicable to NRD AS by law. NRD AS may also process personal data based on the concept of legitimate interest (to strengthen IT security, for example) when it has met the requirements established by the GDPR. Under the conditions set out in the applicable legislation, one or more of the above specified legal bases may be adopted for the processing of the same personal data of a Data Subject.
NRD AS may process a Data Subject’s data for the following purposes (including but not limited to cases where separate consent of the Data Subject is obtained for processing the data):
- In order to provide NRD AS’s services and for other activities, including risk assessment, as foreseen in the legal acts applicable to NRD AS’s activities;
- In order to inform the Data Subject about the processing of their services, sales-purchases and securities, and about other agreements with NRD AS;
- In order to inform the Data Subject about NRD AS’s services;
- In order to obtain information from the Data Subject regarding NRD AS’s services;
- To ensure the security of NRD AS and Data Subjects and their assets through video surveillance;
- To assess the execution and performance of NRD AS’s agreements and the quality of services provided by NRD AS (for example, by recording phone calls), to request an opinion about services provided and their quality, to conduct market research, and to organise contests and campaigns for Data Subjects;
- To analyse and forecast the Data Subject’s habits and needs and ongoing operations with regard to NRD AS’s services in order to ensure provision of optimal service to the Data Subject and make personalised offers;
- To perform legal obligations, including implementation of the Know Your Customer principle and prevention of money laundering and terrorist financing.
- For the protection, maintenance and improvement of technical equipment and IT infrastructure by taking measures to prevent the abuse of services and by seeking to ensure appropriate provision of services;
- For other lawful purposes, as set out in legal acts.
4. RIGHTS OF A DATA SUBJECT
A Data Subject has the right guaranteed by data protection legislation to ask that a Personal Data Controller, after confirming the Data Subject’s personal identity, do the following:
- provide information on whether it processes personal data of the Data Subject and, if it does, to acquaint the Data Subject with the personal data of theirs which is processed, and to inform them what personal data of theirs is obtained from what sources for what purpose and how it is processed (including automated decision-making and its significance and consequences for the Data Subject), how long it is stored, and to whom it is provided (the right to get acquainted with one’s own personal data);
- rectify or correct incorrect, incomplete or inaccurate personal data of the Data Subject (the right to demand the rectification of personal data)
- under certain circumstances specified in the GDPR (when personal data have been processed unlawfully, the basis for processing the data has disappeared, and so on), to erase the Data Subject’s personal data (the right to demand the erasure of personal data – “the right to be forgotten”);
- under certain circumstances specified in the GDPR (when personal data have been processed unlawfully, while a request of the Data Subject’s regarding the accuracy or processing of data is being considered, etc.), to restrict the processing of the Data Subject’s personal data, except for its storage (the right to restrict the processing of personal data);
- provide in writing or in a commonly used electronic form personal data that the Data Subject has provided to the Personal Data Controller which is processed by automated means on the basis of that person’s consent or performance of an agreement, and, if possible, transfer such data to another service provider (the right to personal data portability).
- When NRD AS processes a Data Subject’s personal data on the basis of their consent, the Data Subject has the right to withdraw the consent they have given at any time and the data processing based on that consent will be halted immediately. Note that when consent is withdrawn, it may be that NRD AS will be unable to offer the Data Subject certain services or products but will continue to use personal data of the Data Subject, for example, to perform an agreement entered into with the Data Subject or if that is required by law.
A Data Subject has the right at any time to object to:
- the processing of their personal data, undertaking to present their legally grounded objection to the Personal Data Controller in writing or in another way by which the Data Subject’s identity can be established, if the basis for processing the personal data is the Personal Data Controller’s legitimate interests;
- the processing of their personal data for purposes of direct marketing (including related profiling) and has the right to not give a reason for that objection;
- being subject to a decision based solely on automated processing, including profiling, which has legal effects in their regard or similarly significantly affects the Data Subject. This right shall not apply if such decision- making is necessary for entering into or performing an agreement with the Data Subject, is authorised by applicable legislation, or is based on the explicit consent of the Data Subject.
A Data Subject has the right to present a complaint regarding processing of personal data to the Norwegian Data Protection Authority (https://www.datatilsynet.no/en/) if the Data Subject thinks their personal data is being processed in violation of their rights and lawful interests under the applicable legislation. We kindly request that issues which arise be addressed first of all to NRD AS, so that we can resolve them as quickly as possible.
5. PROCEDURE FOR HANDLING REQUESTS REGARDING EXERCISE OF A DATA SUBJECT’S RIGHTS
A Data Subject must present any request to exercise the specified rights to their Personal Data Controller (see section 1, “DEFINITIONS”). Contact data for NRD AS’s AS is published on the website https://www.nrdcompanies.com/en/contacts/.
To protect against any disclosure of personal data processed by NRD AS to persons without the right to receive it, when a request to provide data or exercise other rights is received from a Data Subject, first of all that person’s identity shall be established. If the identity verification process is successful, NRD AS undertakes, without undue delay but never later than within one month of receiving the Data Subject’s request, to provide information about actions taken with regard to the request submitted by the Data Subject. In light of a request’s complexity or if a Data Subject submits several requests, NRD AS shall have the right to extend the one-month period by two more months, informing the Data Subject about that by the end of the first month and specifying the reason for the extension.
A Data Subject is not required to pay any fee to obtain information about their processed personal data (or to exercise any other rights). NRD AS may, however, charge a reasonable fee if a Data Subject’s request is clearly unfounded, submitted repeatedly or disproportionate.
6. RECIPIENTS OF PERSONAL DATA
A Personal Data Controller may disclose/transmit a Data Subject’s personal data for processing to the following third parties, including but not limited to parties which assist the Personal Data Controller in performing and administering the provision of services:
- companies which provide information technology services (in order to ensure the maintenance, improvement and upgrading of information systems);
- companies which provide website administration and related services;
- companies which provide document storage and archiving services;
- companies which provide postal services (for sending reports and other notifications to a Data Subject);
- auditors;
- credit and financial institutions, including a depository, the Nasdaq Vilnius securities exchange, financial intermediaries, the central depository, and third parties participating in the financial instrument tradinglifecycle of execution, clearing and settlement;
- legal, tax and other consultants, the acquisition and/or provision of whose services NRD AS intermediates according to the terms of agreements entered into by NRD AS and the Data Subject;
- debtor registers, which accumulate information about missed payments, and debt collection companies;
- providers of call centre services, if NRD AS has one;
- AS retained by NRD AS which provide services of assessing the quality of services provided by NRD AS(including the collection of opinions about services, customer service and their quality), market research, and the organisation of games and campaigns for Data Subjects;
- other third parties retained by NRD AS which help NRD AS provide the Services and fulfil obligations arising under applicable laws and other legal acts.
Data are also provided to:
- state institutions and other persons performing functions entrusted to them by the law (for example, law enforcement bodies, bailiffs, notaries public, and institutions responsible for tax administration and the supervision of NRD AS or collective investment undertakings managed by UTIB INVL Technology, including but not limited to the Financial Crime Investigation Service, the Competition Council, and corresponding institutions of other countries which supervise NRD AS and its assets);
- the State Tax Inspectorate, in order to implement the Agreements between the Government of the Kingdom of Norway and the Government of the United States of America to Improve International Tax Compliance and to Implement FATCA as well as other international obligations of the Kingdom of Norway in this area.
NRD AS commits to take the necessary measures and endeavour that other persons to whom personal data may be provided, also process personal data in keeping with NRD AS’s indications and the applicable legislation,and implement appropriate personal data protection measures.
7. PERSONAL DATA RETENTION PERIOD
Personal data shall be processed no longer than is necessary to fulfil the purposes of the data’s processing. Retention periods for personal data shall be defined in internal legal acts in light of the nature of agreements with a Data Subject, NRD AS’s legitimate interests and requirements of the law (for example, accounting and anti-money laundering requirements, the statute of limitations for a claim, etc.).
As a general rule, NRD AS processes personal data collected in providing services for as long as the Data Subject uses NRD AS’s services, and retains the data for 10 years after the Data Subject stops using those services.
For the purpose of inquiring about a customer’s experience using NRD AS services, a Data Subject’s personal data (name, surname, e-mail address, telephone number) shall be processed for 2 months after the end of business relations with the customer. A Data Subject has the right at any time to not consent to the processing of their personal data, as set out above.
If a Data Subject uses contact forms on NRD AS’ websites to submit queries, information provided in those forms, including the Data Subject’s contact details, will be retained until the query is addressed, and no longer than for 1 year after the query is submitted, unless a longer retention period is lawfully permitted for other reasons.
8. GEOGRAPHICAL TERRITORY OF PROCESSING
NRD AS generally processes a Data Subject’s personal data only within the territory of the European Union/European Economic Area (EU/EEA), though in certain cases personal data may also be transmitted beyond the limits of the EU/EEA, for example when that is necessary for entering into or performing an agreement or if the Data Subject’s consent for such transmission is given. Personal data is transmitted beyond the limits of the EU/EEA only if suitable security measures have been implemented.
9. AUTOMATED DECISION-MAKING
In seeking to ensure the most appropriate service for a Data Subject and to provide marketing offers suited to the Data Subject’s needs and in improving the quality of the services NRD AS provides, NRD AS may use automated means to analyse a Data Subject’s personal data, including information about their use of services and behaviour on NRD AS’ websites and self-service portals.
Note that the actions taken by NRD AS to analyse a Data Subject’s data do not have any legal or other similar significant effects for the Data Subject. A Data Subject may object at any time to the processing of their personal data for direct marketing purposes and configure their browser to refuse all or some browser cookies.
10. CONTACT DETAILS
Norway Registers Development AS (legal entity code NO-985 221 405 MVA, registered address Løkketangen 20B, NO-1337 Sandvika, Norway, tel. +47 669 71403, e-mail info@nrd.no, website https://www.nrdcompanies.com/en/contacts/).
UTIB INVL Technology (legal entity code 300893533, address Gynėjų St. 14, Vilnius, Lithuania, tel. +370 527 90601, e-mail info@invltechnology.lt, website www.invltechnology.lt).
11. COOKIES
Cookies are information that is recorded on the computer of a person visiting NRD AS webpages. Cookies are used to recognise a visitor as someone who previously visited the website and to gather website traffic statistics, as well as to show the visitor advertisement intended specifically for them and to improve the functionality of actions performed on a self-service portal. Under their default settings, most browsers accept cookies. Visitors, however, have the ability to turn off cookies by changing their browser settings. Browser settings can also be set to accept only certain cookies or to generate a warning each time and offer a choice of whether to allow cookies to be saved on your computer. Note that if cookies are disabled, some website functions may not work.
More information about cookies used by NRD AS is available at: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage.
NRD AS’s websites may include links to third-party websites and legal acts as well as to social networks (an option to share site content on Facebook, LinkedIn, Instagram and YouTube, for example). It should be noted that the third- party websites whose links are provided on NRD AS’s websites are subject to those websites’ privacy policies or other documents corresponding to a privacy policy, and NRD AS does not take responsibility for the content presented on those websites, their activities or the provisions of their privacy policies.
NRD AS has the right at any time to unilaterally modify this Privacy Policy, informing data subjects about the changes on the website of the NRD AS.