Privacy Policy for Optio Incentives

Privacy Policy for Optio Incentives

Organization number: 919 345 578

Last updated: 04.03.2021

1       The content of this Privacy Policy

This Privacy Policy will describe Optio Incentives’ ( hereinafter “we” or “us” ) processing of personal data.

Optio processes personal data, as part of running a company. In this regard, we are the Controller (the legal person that determines the purposes and means of the processing of personal data. GDPR article 4.)

Optio also processes personal data on behalf of our clients, where our clients have the role as the Controller, and Optio the part as Processor. How we handle our obligation as a data processor, you can read about in the part regulating Optio as a data processor.

It is important for us that the management of your personal data is carried out in a safe and secure manner. The purpose of this privacy policy is for us to explain to you as a client or cooperating partner how we process your personal data and the different purposes of this processing.

Our contact details can be found below.

2       How Optio handles personal data as a data controller

This Privacy policy is aimed towards our processing of personal data in connection with our daily managing and business as a company.

We process personal data about:

  • our clients; including private clients and company contacts;
  • personal data about individuals in connection to our clients (such as counterparties, suppliers and collaborators) or other individuals involved or affected by cases we assist in;
  • other individuals mentioned in case files;
  • personal data about our employees;
  • personal data about potential employees (job applicants)
  • personal data about our partners;
  • visitors to our website and events;

3       Sharing of personal data

Third parties delivering our IT-systems will have access to personal data if the data is stored with the supplier or in some other way is visible for the third party.

We process personal data through different platforms in order to communicate, for spesific cases, and general management of the company. Examples of IT-suppliers and tools we use are for example but not limited to Microsoft, Google, Slack, and Visma  

We also share data with financial institutions when necessary to provide services to our clients and comply with government regulations. These include, but are not limited to, Sanne Group (for our International Nominee service).

The third parties can only process personal data to the extent strictly necessary for the purposes we have described and as described in this privacy policy.

4       Confidentiality

All personal data that is provided and entrusted to us in conjunction with a case will be held strictly confidential.

We do not share personal data in other situations than the ones described in this privacy policy unless our clients explicitly encourage or consent to this, or where the sharing of information is required by law or statutory regulations.Your rights

As a customer of Optio Incentives you have rights relating to the personal data we have registered about you. You can request access to the personal data we have registered about you. You may also request correction, deletion, and limitation of the processing of your personal data in accordance with applicable data protection legislation.

Your rights as a data subject contains, but are not restricted to, the following:

  1. Right to withdraw consent

If the processing of personal data is based on a given consent, you can at all times during the processing withdraw your consent by request. We will do our best to comply with requests.

  1. Right of access to personal data

As a customer/user of our services you have the right to know what data we have about you, as far as this does not conflict with the duty of confidentiality. You can use your right of access by request. For security measures, we might ask for a confirmation of identity upon such request. This is in order to make sure that we don’t breach the privacy of others or give out information to the wrong individual.

  1. Right to data portability

The right of data portability gives you the possibility to by request, receive the personal data concerning you in order to have these transferred in a machine-readable format in order to transmit those data to another controller. If technically possible we might in some cases assist with transferring these data directly to the new controller.

  1. Right to rectification and erasure

You can at any time ask us to edit incorrect information about you or ask us to delete personal data. We will fulfill such requests as long as it is possible in accordance with the purposes of processing and as long as there are none legal obligations that require us to keep the data. We will do our best to fulfill your request without undue delay.

  1. Right to object

You have the right to object to the processing of your personal data at any time during the processing. If you don’t agree in the way we process your personal data we will always try to accommodate your wishes.

If you believe that Optio Incentives has not complied with your rights pursuant to the data protection legislation, you have the right to send a complaint to the Norwegian Data protection Authority, which is the supervisory authority.

More information about your rights as a data subject can be found in GDPR articles 12 to 23.

In order to use your rights, you can simply send us a request at: contact@optioincentives.no

5       Optio as a data processor

Optio and our clients are both subject to laws and regulations that governs the processing of personal data. This includes GDPR.

Delivering Optio’s solution for managing incentive programs, Optio holds the role as a processor of personal data, while our clients holds the role as data controller.

As a data processor, Optio is obliged to process personal data according to customer specific agreements. Optio handles this via the DPA (data processing agreement). The DPA is made to fit the service rendered from Optio and describes how Optio handles personal data on behalf of our clients.

5.1        Assistance to the Client

Optio shall assist the Client in ensuring compliance with the Client’s obligations pursuant to GDPR, Articles 32 to 36 (e.g. assisting the Client in case of data breach, when conducting a data protection impact assessment and prior consultations), taking into account the nature of the processing and the information available to Optio.

5.2        Deletion and return of data

Optio will delete all personal data when there is no further need for processing and Optio has no statutory or legal obligation to retain such information. All personal data will be returned upon termination.

6       Sub processors

Optio uses sub-processors to provide limited services on its behalf related to the service, such as cloud-based storage and processing services. Optio performs a risk assessment of each sub-processor.

Any such subcontractors shall be permitted to obtain personal data only to deliver the services Optio has retained them to provide, and they shall be prohibited from using personal data for any other purpose.

Our sub-processors include, but not limited to:

Google: We use GCP for hosting our solutions on European datacenters. See Google Cloud & the General Data Protection Regulation (GDPR).

Microsoft: We use Microsoft for our day to day communication. See Microsoft’s General Data Protection Regulation Summary.

SendGrid: We use SendGrid for outgoing mail from our system. See SendGrid’s General Data Protection Regulation.

7       Transfer of data

Personal data may be transferred to, and stored and processed in the EU/EEA(third country) countries which are permissible under the Personal Data Legislation.

Optio does not transfer data, without the consent of the Client, to a country outside the EU/EEA.

If personal data is to be transferred to and processed by a subcontractor located outside the EU/EEA, Optio is obliged to ensure that Optio and the sub-contractor enter into the EU standard contractual clauses for such third-country transfer (unless the transfer is made to a country deemed by the European Union as a jurisdiction with adequate protection for personal data).

8       Storage

While working with a case all the information regarding the case will be stored in our system. We store case files for finished assignments for up to 10 years in our system, or upon termination of the service.

Accounting rules and procedures might require that we keep information for a more specified time frame. When a specific purpose requires us to store documents for a purpose like this we make sure that the personal data stored is strictly necessary for this purpose and not stored for longer, or used for any other means than the purpose. Security

We have established both technical and organizational routines in order to keep your information safe. We carry out continuous considerations of the safety of our central systems that are in use for the processing of personal data, and we have agreements in place that require the suppliers to comply and keep a required level of information security.

Access to personal data (including client and case information) is restricted to individuals with a necessary need to access in order to complete their assigned tasks.

This website is secured with SSL encryption.

9       Changes to our privacy policy

Optio Incentives reserves the right to adjust and adapt this privacy policy, for example, due to regulatory requirements. Our updated privacy policy will be published on our website at all times.

If substantial changes are made, we will notify our clients.

10        Get in touch

Contact phone: (+47) 22 34 33 32

Address: Husebybakken 28B, 0379 Oslo

Contact via email: contact@optioincentives.no