Last updated: July 12, 2024
This privacy policy explains how we collect and use (process) personal data in our business. MIDPILOT AS, represented by the CEO, is the data controller for the processing.
Our contact information is:
We take your privacy seriously and have taken several steps to ensure we provide clear information about how we process your data, and what rights you have. If you feel something is unclear or missing, please do not hesitate to contact us.
Contact us if you have questions about or wish to exercise any of your rights. You are entitled to a response within 30 days. Read more on the Norwegian Data Protection Authority's website.
If you are not satisfied with the way your data is being processed, you can lodge a complaint with the Norwegian Data Protection Authority, but we hope you will contact us first so we can try to resolve the issue for you in a satisfactory manner.
We process personal data about:
Providing personal data to us is voluntary, but to complete a transaction, we do need certain information from you.
We process personal data when you:
According to Article 6(1) of the GDPR, personal data can be processed based on:
As a general rule, personal data should not be processed and stored longer than necessary to fulfill the purpose of the processing. If we process your personal data based on a legitimate interest we believe we have, you can object to the processing by contacting us. We will then assess your objection and respond to you promptly.
To comply with this, we perform annual GDPR audits to formally review and assess our data protection practices. The goal is to amend, update, and, if necessary, delete personal data.
We retain data as long as we are legally required to, for example, in relation to accounting, tax, or employment laws, and/or other relevant rules and regulations. You can contact us at any time if you want us to stop processing or delete your personal data, but note that we cannot delete personal data we are legally obligated to process.
We have procedures to ensure that personal data is deleted from all relevant systems when we no longer have a purpose and/or legal basis to continue processing them. Accounting records are kept for up to five years, as required by the Norwegian Accounting Act.
Here we describe in detail when and how we process your personal data, for what purposes, on what legal basis, and for how long. We process personal data when:
When you give us your business card or contact us through the website (contact form, comment section, chat, or similar), email, phone (calls, text messages), or social media, we process personal data. Depending on where and how you send us a message, this may include your name, contact information, IP address, and other information you choose to send us.
The purpose is to respond to your inquiries, maintain a history, and have documentation in case we receive complaints, legal claims, or other inquiries.
The legal basis may be:
We go through, archive, and delete inquiries as needed, but at least once a year.
When you purchase products and services from us, we process personal data such as name, contact information, order and payment information, and purchase history.
The purpose is to deliver products and services to you as ordered/purchased, maintain a history of sold products and services, and generally manage and follow up on the customer relationship with you.
The legal basis may be:
When you become a customer with us, we process personal data as mentioned above. If you have an existing customer relationship with us, we may send you marketing emails and SMSs, in accordance with the Marketing Act § 15. The legal basis will then be legitimate interest, but may also be consent.
The purpose of the marketing is to provide good customer service.
You can unsubscribe from marketing emails and SMSs at any time. Information on how to unsubscribe is provided in all marketing-related emails and SMSs we send.
Data is processed as long as the customer relationship exists, or until you unsubscribe from the marketing list.
When you apply for a job with us, we process personal data such as name, contact information, CV, and other information we need to evaluate your application.
The legal basis may be:
The legal basis may vary depending on where we are in the recruitment process and the type of position.
Data is deleted after a person is hired, unless you have consented to us retaining your information longer in case you wish to apply for a job at a later date. The consent will be renewed annually.
For employees, we process personal data as mentioned above, in addition to data necessary to pay wages and otherwise manage the employment relationship.
The legal basis may be:
Most data about employees is processed based on the employment contract and is generally deleted when the employment relationship ends unless specific reasons (such as disputes regarding termination or dismissal) make it necessary to retain them longer.
When you participate in free events organized by us, we process personal data such as name and contact information. For paid events, we also collect order and payment information. The purpose is to offer relevant courses, lectures, and workshops or fulfill agreements regarding ordered events.
The legal basis may be:
We may also use your personal data to send you a request for feedback on the event you participated in, and to invite you to other similar events. The legal basis is then legitimate interest, where the legitimate interest is to continuously improve our products and services and provide you with good customer follow-up.
How long we retain the data depends on the type of event, but they are usually deleted within 12 months.
We always inform you about the purpose of surveys we conduct and whether they are anonymous. We do not share the information with others or use it for purposes other than what we have stated. In anonymous surveys, we do not collect personal data.
The legal basis for non-anonymous surveys may be:
When you enter into an agreement with us either as a supplier, partner, or data processor, we process personal data such as name, contact information, and correspondence.
The purpose is to enter into an agreement with you, and the legal basis may be:
Data is retained as long as we have an ongoing relationship. We process personal data related to general correspondence and communication as described above.
When you use our website, we process personal data in accordance with our cookie policy. The purpose is to manage our website, promote the business, and respond to inquiries from visitors. The legal basis for cookies that store or process data falling under the Electronic Communications Act § 2-7b is consent through a predefined browser setting, in line with the recommendations from the Norwegian Communications Authority as described here.
To operate our business efficiently and securely, we sometimes need to share your personal data with parties such as:
We require that all who share your personal data with us ensure the security of your data in accordance with good information security practices and the requirements of the GDPR. We enter into data processing agreements with all who process data on our behalf, and confidentiality agreements as needed.
We use data processors for:
Due to security reasons, we have not specified these by name, but please contact us if you want more information.
We take information security seriously, and we will always do our utmost to safeguard your personal data in the best possible way. Among other things, we use:
to secure our data and prevent unauthorized access to view, change, delete, or in any way affect the data we store, including your personal data.
We use only reputable providers of IT and administrative services such as web hosting, website security, PC security, antivirus programs, email provider, backups, and more. We allow others to access and/or process your personal data only according to our instructions, and only where it is strictly necessary (e.g., in the event of IT support).
We have established procedures for handling data security breaches, and in the event of an incident, we will report the breach to the Norwegian Data Protection Authority within 72 hours of discovering the breach. If the breach results in high privacy risk, we will also notify the affected individuals.