This Privacy Notice («Privacy Notice«) is prepared by Lofoten Cottages («we», «our» or «us») to ensure that you receive the information we are required to provide to you and which is necessary for you to exercise your rights under the General Data Protection Regulation (the «GDPR») and the Norwegian data protection legislation (together «data protection legislation»).
2. Contact Information
We process your personal data as a controller. If you have any questions about this Privacy Notice, including how we process personal data, or would like to submit a request to exercise your rights, please contact us at:
Nusfjord Drift AS
Address: Nusfjord Drift AS
Phone: +47 760 93 020
3. What is Personal data?
Personal data means any information relating to an identified or identifiable natural person (a «data subject«). Your name, phone number, address, and e-mail address are examples of information that generally is regarded as personal data. Personal data may also include special categories (formerly referred to as «sensitive«) personal data, such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
4. Whose personal data do we process?
This Privacy Notice includes our processing of personal data about the following categories of persons:
- Private customers (customer/guest who is a natural person).
- Contact persons of business customers.
- Contact persons of suppliers and partners.
- People who visit our website and social media.
- Job applicants, including people who are relevant for employment at Nusfjord.
5. What categories of personal data do we process?
The personal data we process about you will depend on whether you are a (i) private customer, (ii) business customer or supplier, (iii) purchase gift cards, receive newsletters or provide feedback to us, (iii) a visitor to our website, or (iv) a work applicant or candidate.
5.1 Private customers
The below list described the categories of personal data which we process regarding our private customers, in connection with our establishment and administration of the customer relationship:
- Information about you and your contact information: Such as your name, address, telephone number, and e-mail address.
- Your customer history, including information regarding the services you have purchased and receipts of the services.
- Preferences and special requests regarding your stay at the resort or any accommodation needs (e.g. health information in the form of allergies) that you choose to share with us.
- Payment information: Information about the bank and/or credit card used in connection with your payments to us.
- Your IP address.
5.2 Business customers and suppliers
The below list describes the categories of personal data which we process regarding the representatives and employees of our business customers, suppliers, and business partners, in connection with the establishment and administration of our business relationship:
- Information about you and your contact information: Such as your name, telephone number, e-mail address, job title, and other information about you and your employment relationship that you have provided to us in connection with our cooperation.
- Payment history and payment information related to invoices issued to businesses and agencies.
- Your IP address.
5.3 Various services and marketing
If you purchase gift cards, receive a feedback form by e-mail and choose to fill it out without being anonymous, agree to receive newsletters by e-mail or visit our social media and in this connection, send a message or leave comments/likes, we may process personal data such as:
- Contact information: Name, e-mail address, telephone number, job title, and employer (if you represent a business customer or supplier).
- Preferences; Any requests regarding your stay at the resort or any accommodation needs (e.g. health information in the form of allergies) that you choose to share with us.
- Feedback: Your feedback, as well as other information you have provided to us through the feedback form or on our social media pages.
- Your IP address.
5.4 Visitors to our website
When you visit our website, we and some third parties may collect information about how you use our websites by using cookies. Cookies are small files of software that save and retrieve information about your visit to a website or application. They reside in your internet browser to help remember your preferences and previous activity.
When you visit our website, the following types of cookies may be set in your browser:
- Necessary cookies. These are cookies that are required for the operation of our website. These cookies ensure basic functionalities and security features of the website, anonymously.
- Analytical or performance cookies. These allow us to recognize and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
- Functional cookies. These are used to recognize you when you return to our website. This enables us to personalize our content for you, greet you by name, and remember your preferences (for example, your choice of language or region).
- Advertisement cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website, and the advertising displayed on it more relevant to your interests.
You can find more information about the individual cookies we use, and the purposes for which we use them, in the table below:
This cookie is set by the GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category «Analytical».
This cookie is set by the GDPR cookie consent to record the user consent for the cookies in the category «Functional».
This cookie is set by the GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category «Necessary».
This cookie is set by the GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category «Performance».
This cookie is set by the GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category «Other».
5.5 Persons who are applying for a job and recruitment
In connection with the recruitment process, we will process the personal data that you provide us with in relation to the recruitment process. This includes your name, contact information, study and work experience, current job title, etc. If you provide references, we may also process the names and contact information of these references.
We use the Mojob recruitment system in our recruitment processes. You can read more about the processing of personal data in Mojob here.
7. For what purposes do we process your personal data?
The personal data set out in sections 5.1 and 5.2 above are processed in order to establish and manage our customer or supplier relationship, for billing purposes, and in order to be able to provide our services to you or your employer. Documentation connected to payments and purchases is in addition processed due to purposes connected to internal reporting- and compliance with our bookkeeping obligations.
The personal data set out in sections 5.3 and 5.4 above are processed in order to market and adapt our services to you or your employer.
The personal data set out in section 5.5 are processed in order to assess you as a potential employee with us and to form a sound basis for decision-making in our recruitment processes.
8. Our Legal basis for processing personal data
We base our processing of personal data on the legal bases set forth below.
We process the information about private customers (contact information, payment information, and any other information about you, as further described above) because it is necessary to fulfill our agreement with you as well as to provide our services to you. We process information connected to the contact person and other representatives of one of our corporate customers, suppliers, or other partners because it is necessary for purposes related to Lofoten Cottage’s legitimate interests. We have a legitimate interest to establish and manage our relationship with the business you represent as its contact person.
Any personal data connected to purchase or other bookkeeping documentation will be processed based on our obligations under the bookkeeping legislation.
We process the personal data described in sections 5.3 and 5.4 for purposes related to Nusfjord’s legitimate interests. We have a legitimate interest in the marketing of Nusfjord’s services.
We also process this information for marketing purposes in order to know what relationship you have with Nusfjord, as well as to improve our services. We consider that these interests exceed the consideration of your privacy.
We process the personal data described in section 5.5 for purposes related to Nusfjord’s legitimate interests, which is to recruit and hire relevant candidates in our business.
If we have requested your consent to the processing of personal data, you can withdraw it at any time.
9. Disclosure of personal data to third parties
We use different service providers in connection with the processing of personal data. The service providers will act as processors on our behalf. We have entered into data processing agreements with our processors, which inter alia obligates the data processor to implement technical and organizational measures to ensure an appropriate level of security, confidentiality, and integrity of the personal data, as well as to only process the relevant personal data in accordance with data protection legislation.
We will enter into non-disclosure agreements before we share any information and personal data with persons and companies (i.e., third parties) involved in our services. These non-disclosure agreements require the recipient of information to keep the information confidential and to only use it for specific purposes.
We will only transfer personal data to countries outside the EU/EEA with a valid legal basis, such as Standard Contractual Clauses adopted by the EU Commission («SCCs«).
We will not disclose your personal data to any other third parties than the third parties described above, unless we are required to do so under applicable law, or if it is necessary to establish, exercise, or defend legal claims.
10. Retention and deletion
As a general rule, we will delete or anonymize personal data when they are no longer necessary in relation to the purposes for which they were collected or otherwise processed. We will delete or anonymize personal data in accordance with the following procedures:
- The personal data relating to your customer profile, including your name and contact information, will be processed as long as we have an active customer relationship with you or your employer. After the customer relationship ends, the information will be deleted after [∙] years.
- Purchase documentation will, depending on the nature of the documentation, be stored for either 3 ½ or 5 years in accordance with the Bookkeeping Act.
- Information about job applicants who are not hired will be deleted at the end of the recruitment process.
- Your Rights
You have the following rights when we process personal data about you:
- Access. You may contact us if you want to obtain confirmation with respect to whether or not we are processing your personal data, as well as access to and further information regarding our processing of your personal data. You may also request a copy of the personal data we are processing about you.
- Correcting personal data (rectification). You may request us to rectify and/or complete inaccurate or incomplete personal data..
- Erasure (the right to be forgotten). You may request us to erase your personal data. We will respect and comply with your request unless we among other things are prohibited from deleting your personal data under mandatory retention requirements, or the personal data is necessary for the establishment, exercise or defense of legal claims.
- Restriction. You may also request the restriction of our processing of your personal data in accordance with the criteria under data protection legislation. If the processing has been restricted, such personal data will, with the exception of storage, only be processed with your consent or for the exercise or defense of legal claims or for the protection of the rights of another person or for reasons of important public interest.
- Object. You are entitled to object to certain processing activities. You are furthermore, on grounds relating to your particular situation (for example, a specific need for protection of your identity), entitled to object to the processing of personal data based on legitimate interests, which we will comply with, unless there exist compelling legitimate grounds for our processing which override your interest, or if our processing is necessary for the establishment, exercise or defense of legal claims.
- Data portability. If we process your personal data based on consent or based on our performance of a contract, and the processing is carried out by automated means, you may request us to transfer the personal data to you or another controller, in a structured, commonly used, and machine-readable format.
Please note that the above rights may be subject to further exceptions and limitations in accordance with the data protection legislation.
You may contact us at: firstname.lastname@example.org if you wish to exercise any of the above rights. Please note that we may request additional information from you if such information is necessary to confirm your identity.
As a controller, we are responsible for the security and confidentiality of the personal data we process. We are furthermore responsible for implementing appropriate technical and organizational measures to ensure an appropriate level of security for the processing.
12. The Norwegian Data Protection Authority and other supervisory authorities
The Norwegian Data Protection Authority has inter alia been established to supervise Norwegian companies’ processing of personal data. You may contact us at any time if you have any questions or complaints regarding our processing of your personal data. You may also file a complaint to the Norwegian Data Protection Authority, or a data protection authority in the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged data protection infringement.
You can obtain the contact details of the Norwegian Data Protection Authority on the following website: www.datatilsynet.no. You may also find more information on your rights and the data protection legislation on this website.
We may update the Privacy Notice from time to time. The Privacy Notice will, for example, be updated to comply with any legislative amendments or if we make changes to our processing of personal data.
An updated version of this Privacy Notice will be published on our website if any revisions to the Privacy Notice are made. This Privacy Notice is effective from the date stated initially.