Processing of personal data
NorCar AS, with its managing director as the data controller, applies to all personal data received and recorded in connection with the company. This privacy statement explains what data we collect and how we collect, process, store, and delete data.

Company Details:
Organization Number: 921 891 903
Name/Company Name: NorCar AS
Legal Form: Limited Company (Aksjeselskap)
Business Address: Gamle Svinesundsvei 14, 1789 Berg in Østfold

Purpose of Personal Data:
Depending on how you choose to use our products and services, we use Personal Data for various purposes:

Contract Execution:
Personal data is used to fulfill agreements or contracts between an organization and an individual. This may include the delivery of goods and services, billing, and payment.

Customer Service:
Personal data is used to provide customer service, handle inquiries, and answer questions from customers.

Marketing:
Marketing and promotional activities may include the use of personal data to target advertisements, campaigns, and offers to specific audiences.

Personnel Management:
Personal data is used to administer employee information, including salary, tax deductions, holidays, and performance evaluation.

Legal Compliance:
Personal data is used to comply with legal requirements, such as tax laws, labor regulations, and accounting standards.

Security:
Personal data may be used to manage security measures, such as access control, monitoring, and threat identification.

Research and Analysis:
Personal data may be used for research and analysis purposes, such as market research, product development, and service improvement.

Statistics and Reporting:
Personal data may be collected and processed to generate statistics and reports used for decision-making and planning.

Legal Basis for Processing:
We only contact based on legitimate interest and information voluntarily provided by you. Our processing basis is your consent, the basis for fulfilling our contract, necessary to fulfill our legal obligations according to the Accounting Act and the Archives Act.

What Personal Data Do We Collect About You?
Depending on the information you provide us, how you use our products and services, and the permissions you grant us, and the information we have collected, we have the following information about you:

For Archives and Case Handling:
Various types of personal data are recorded in our archive and case handling system. This includes information such as Company Name, Personal Name, Personal Identification Number, Address, Telephone Number, Email Address (basic data), and other relevant information as indicated in the inquiry/processing.

Email and Telephone are used as part of the daily work to operate NorCar's products and services. The managing director is responsible for the processing of personal data in this context. Relevant information arising from telephone calls and email exchanges conducted as part of operations is recorded (Case Handling and Archive).

In addition, NorCar's employees use email in regular dialogue with internal and external contacts. Each individual is responsible for deleting messages that are no longer relevant and, at least annually, reviewing and deleting unnecessary content in the email inbox. Upon resignation, email accounts are deleted, but certain relevant emails will normally be transferred to colleagues. Sensitive personal data should not be sent via email. Please note that regular email is unencrypted. Therefore, we encourage you not to send confidential or sensitive information via email.

Other information collected includes:
  • Company Name, Personal Name, Personal Identification Number, Position, Workplace, Mobile, Email.
  • Information about the customer relationship (service and order information, payment information, and marketing permissions).
  • Information generated in connection with the use of the services, e.g., activities on our websites (including date and time and the browser you use, IP addresses, screen size, etc.)
  • Other information about service usage, such as data collected using cookies and similar technologies when visiting our websites,
  • Other information collected based on your consent. You will receive information about the information we collect and how it is used when we request your consent.

Where Do We Collect Information From?
The information we collect about you depends on which services you use, subscribe to, or purchase, as well as the information you provide us with when making a purchase or in other contexts.

We collect personal data that:
you provide to us, for example, when you purchase a product or register for our services, subscribe to our newsletters, or contact us with questions.
is automatically registered when you send an email, visit our websites through cookies, and when you use forms on our websites.
we may obtain from publicly available registers (e.g., the National Population Register).

Providing personal data to us is voluntary, but if you choose not to do so, we may not be able to provide you with our services because, for example, we may not be able to invoice you for the services.


Who Do We Share Personal Data With?
We share personal data with the following companies that provide technical and administrative services to NorCar:
  • Destinet CMS
  • Leonberg Advertising Agency
  • Tripletex
  • BDO
  • GP Digital

A separate data processing agreement exists between NorCar AS and the companies providing technical and administrative services. The agreement regulates the information the supplier has access to and how it should be processed.


How Are the Data Protected?
Cloud-based IT solution, operated by GP Digital, is responsible for data security.


How Long Do We Store Personal Data?
We store personal data only as long as necessary to achieve the purpose for which they were collected, or if we are required to store the information. The information will be deleted or anonymized when no longer necessary to achieve the purpose. Below is an overview of how long we store your information:
  • Forms store your information on our websites for up to 60 days. Form information is shared with Case Handling for the purpose.
  • The archive and case handling system store relevant information to fulfill the agreement, complaint, and warranty period.
  • Email and Telephone are reviewed annually, where necessary information is stored or transferred to Case Handling and Archive.
  • Accounting: Personal data is stored in accordance with the Accounting Act.
  • Google Analytics stores information about IP addresses for 26 months.

Your Rights
Everyone who asks has the right to basic information about the processing of personal data in a business according to § 18, 1st paragraph of the Personal Data Act. NorCar has provided this information in this statement and will refer to it in any inquiries. Those registered in one of NorCar AS's systems have the right to access their own information. You may have the right to ask us to:
  • Information on how we process your personal data.
  • Provide you with a copy of personal data about you.
  • Update your personal information.
  • Delete information that we no longer have a basis to store.
  • Limit or stop the processing of your information
  • Withdraw any consents you have given us.

If you believe that we are processing personal data in violation of the Personal Data Act, you have the right to complain to the Norwegian Data Protection Authority. Before you do so, we would like you to contact us so that we can answer your questions or clarify any misunderstandings.


Internal Control - Deviations, Deviation Analysis, and Measures
If the processing of personal data is due to a breach of data security, this is reported to the Norwegian Data Protection Authority within the given deadline. If it is not possible to determine the extent within the given deadline, a deviation report is sent step by step to the Norwegian Data Protection Authority.

NorCar AS has its own mapping form that summarizes breaches or deviations describing the system, category, and type of information affected.

The completer of the form should inform the managing director of any breaches or deviations. The responsible recipient shall assess whether immediate measures should be taken. Then the person shall describe the consequences of the breach or deviation, clarify the measures, and limit the