Data controller responsibility
Contacting our Data Protection Officer
You can contact our Data Protection Officer, although not with all types of question. Enquiries sent to our Data Protection Officer must concern Itera’s processing of personal data (situations in which Itera is either the data controller or the data processor, cf. GDPR), and they must also mainly relate to personal data about you or a group that you represent. Examples of such enquiries might be questions related to your rights, accessing your own data etc, cf. GDPR, Article 15. It is important for us to make clear that you can always consult our Data Protection Officer. If you feel that the Data Protection Officer is unable to provide you with sufficient help, we ask that you contact Itera - see https://www.itera.com/en/contact
Itera’s Data Protection Officer is Tor-Ståle Hansen, and he can be contacted by email on firstname.lastname@example.org.
Itera’s Data Protection Officer is a member of the Norwegian Association of Data Protection Officers, and he is a PECB-certified Data Protection Officer (DPCDPO1029037-2018-04).
If you would like to send your enquiry by post, please use the following address:
PO Box 4814 Nydalen
0422 Oslo, Norway
Attn: Data Protection Officer (Personvernombud)
For all other enquiries, please see the following page on Itera’s website: www.itera.com/en/contact
When does Itera process personal data?
Itera mainly processes data about you in the following situations:
- You have sent us an enquiry, question or complaint by post or email or in another format
- You have signed up for an event, competition etc.
- You subscribe to our newsletters
- You have applied for a job at Itera
- You have a business relationship with Itera as a partner or customer
- You are a journalist and have contacted us for a statement
- You have visited our website or used other communications media operated by Itera
We may also process personal data about you as a result of other processes and from other information flows.
What is personal data processing?
Personal data processing means any type or form of operation which is performed on/with personal data, with or without automated means, directly and/or indirectly. Examples of such operations include:
- Collection and recording
- Organisation, structuring and storage
- Adaptation and alteration
- Retrieval and consultation
- Use and disclosure
- Alignment and combination
- Restriction, erasure and destruction
What is a personal data breach?
As a data controller, Itera is responsible for preventing personal data breaches when your personal data is being processed at our organisation.
Personal data breaches can occur in a range of ways, for example if:
- A third party gains unlawful access to your personal data
- Data on employees, customers or partners that is registered in Itera’s IT systems is out-of-date, incorrect or significantly incomplete
- Data on employees, customers or partners is used for purposes that are entirely different from those for which it was collected
- Data on employees, customers or parties is recorded, changed or erased in Itera’s IT systems without Itera having the permission to do so.
More information on personal data is available on the website of the data protection authority for your country. We have provided links to the data protection authorities for the countries in which Itera currently has offices/activities (as at March 2021).
The Norwegian Data Protection Authority: https://www.datatilsynet.no
The Danish Data Protection Agency: https://datatilsynet.dk
The Office for Personal Data Protection of the Slovak Republic: https://dataprotection.gov.sk/uoou/
The Ukrainian Parliamentary Commissioner for Human Rights: http://www.ombudsman.gov.ua/en/page/secretariat/
The Swedish Authority for Privacy Protection: https://www.imy.se
The Icelandic Data Protection Authority: https://www.personuvernd.is
For an English language website, see the website of the UK’s Information Commissioner’s Office: https://ico.org.uk
When Itera processes your data
Cookies are small text files that are stored on your computer when you load a webpage. Some cookies are required for different services on our website to work.
Itera uses logs from our web servers to generate statistics about visits to our website. These statistics enable us to improve the information on our website. The information contains different variables, such as which pages were visited (frequency, time, time spent reading, geographic location etc.), what visitors searched for using our search engines, as well as technical information on users’ devices. The webserver immediately deletes visitors’ IP addresses. In practice, it is not possible to identify visitors from the remaining parameters. The statistics are therefore anonymous. This information can therefore not be linked to you as an individual and is therefore not considered by law to be information that requires protection or that provides the grounds for any claims in this respect.
Our basis for processing for the generation of anonymous statistics is the General Data Protection Regulation, Article 6, subparagraph 1, point (f), which permits processing that is necessary for the purposes of a legitimate interest that is not overridden by the data privacy interests of the data subject. The legitimate interest is improving and further developing the information on our website.
When you call us, your telephone number may be stored together with data on when you called and how long the call lasted, for example by our telephony services provider. If a call relates to a particular matter, a memo might be written and kept on file following the call (HR matter, customer relationship, supplier relationship etc.). Other than this, Itera does not systematically register details of telephone calls where the caller can be identified.
The log of calls is stored in order for Itera to be able to follow up on phone calls as required, for example by ringing up individuals who have contacted us to provide further information or to ask for more information. Our basis for processing in this regard is the General Data Protection Regulation, Article 6, subparagraph 1, point (f), which permits processing that is necessary for the purposes of a legitimate interest that is not overridden by the data subject’s interests or fundamental rights and freedoms. The legitimate interest is following up on telephone calls as required.
We use emails to carry out our work tasks. Emails that we receive are deleted once they cease to be required for us to carry out our day-to-day tasks. In practice this means that emails are not normally stored for longer than about a year. We ask that special categories of personal data are not sent unencrypted by email. More information on encryption is available here.
Our basis for processing in relation to personal data in emails is the General Data Protection Regulation, Article 6, subparagraph 1, point (e), which permits processing that is necessary for the purposes of a legitimate interest of both parties as sender and recipient.
We scan all incoming and outgoing emails for viruses and malware to protect the integrity, confidentiality and availability of those of our systems that process personal data. Our basis for processing in relation to this scanning is the General Data Protection Regulation, Article 6, subparagraph 1, point (c). Itera has a legal obligation to ensure data security pursuant to the General Data Protection Regulation, Article 5, subparagraph 1, point (f) and Article 32. On the basis of a specific risk assessment, we have concluded that this measure is required in order for Itera to comply with this legal obligation. We have also concluded that this processing is not disproportionate relative to the criteria for compliance with the obligation.
Itera sends out newsletters by email to individuals who have actively subscribed or have consented to a specific offer of such subscription. The newsletters normally contain news items, editorial content, user stories, commercial information, blog content etc.
In order for us to be able to send you newsletters by email, you need to register an email address. Your email address will only be used to send you newsletters and surveys about the newsletters so we can gather feedback on what readers want to read about and what they think is interesting. Provided you have explicitly given your consent, we may contact you for follow up purposes and similar. If you have consented to sharing other contact details with us, we may also, where we are permitted to do so, contact you using them, e.g. by phone. When you subscribe to our newsletters, you consent to us processing data about you. Your email address will be stored in a separate database operated by our processor Inbound Group AS, your data will never be shared with others, and your data will be deleted when you unsubscribe or by a given date/within a specific period of time as shared with you beforehand. You can unsubscribe by clicking on the unsubscribe link in the newsletter or by contacting us. Itera will process your personal data until you actively unsubscribe from our newsletters or at the end of the processing period.
Our basis for processing your email address and other information about you in connection with our newsletters is the General Data Protection Regulation, Article 6, subparagraph 1, point (a), namely your consent. You can withdraw your consent at any time by unsubscribing from our newsletters. Withdrawing your consent will not affect the legality of the processing that took place prior to you withdrawing your consent, and you are entitled not to feel discriminated against or unfairly treated as a result of your decision to withdraw your consent.
From time to time you will be able to sign up for events and competitions on our website or via other channels.
When you sign up for an event, we will ask you for data such as your name and for contact details such as your email address, as well as possibly for your telephone number and place of work. The purpose for which we collect this data is so that we can provide information to attendees, manage and organise our events, and produce lists of attendees for attendees. The data is stored until the event has been held. We will not use the data for purposes other than purposes that are related to the event, which includes following up with attendees about the event both beforehand and afterwards. You will also be able to opt out of this.
When you sign up for a competition, we will ask you for data such as your name, contact details and place of work, as well as for your entry to the competition. The purpose for which we collect this data is so we can link competition entries to individuals in order to be able to provide feedback, ask entrants for any extra information, where relevant invite entrants to demonstrate/present their entry, and where relevant inform entrants that they have been selected for the final. The data will also be used to invite entrants to the event at which we launch entries to the competition. The majority of the data will be stored until the end of the competition, but a list of winners and high-quality entries may be stored for longer.
Our basis for processing in connection with events and competitions is the General Data Protection Regulation, Article 6, subparagraph 1, point (f), which permits processing that is necessary for the purposes of a legitimate interest that is not overridden by the data privacy interests of the data subject. The legitimate interest is organising events and competitions in a proper manner.
Itera is an organisation that is primarily engaged in selling services within ICT. This means that we communicate extensively with our customers, namely businesses and organisations, as well as with our partners and subcontractors. When we start a sales process, Itera has a legitimate interest in relation to all parties in registering personal data such as, but not limited to, the name of the contact persons involved, their email addresses, telephone numbers etc. This data is registered in our central CRM system, and the data is only accessed by those who work in a sales and customer team and the various associated processes. The data is stored for as long as the customer relationship is active, and some data is stored for longer than this, cf. the relevant legislation such as the Norwegian Bookkeeping Act etc.
A natural aspect of having a customer relationship with Itera is communicating with our service function. We have standardised service agreements based on different levels and scopes. In order to provide this service function, we need to record some data on your service, including contact persons and any other persons involved in the processes. This processing falls under the provisions relating to legitimate and legal interests for all parties involved. The type and amount of information will vary from service process to service process.
If you apply for a job at Itera, we need to process data about you in order to assess your application. The recruitment process involves processing the data you give us in the documents you send us, including in your application, CV, educational certificates and certificates of employment. In addition to an interview, Itera may also carry out its own investigations, typically in the form of conversations with job applicants’ referees.
Itera uses various job application portals to administer the applications it receives for the various vacancies it advertises. See the portals’ own policies for more information on the processing activities they undertake.
Our basis for processing in relation to assessing the documentation applicants submit, holding interviews and telephoning your referees is the General Data Protection Regulation, Article 6, subparagraph 1, point (b). This permits processing that is necessary to implement measures at a job applicant’s request prior to a contract being entered into. We consider that by applying for a position and uploading documents, an applicant is asking us to consider the documentation he/she has provided, to hold interviews and to telephone referees with the aim of entering into a contract of employment.
If we carry out our own investigations in addition to this, e.g. by contacting someone who has provided a certificate of employment but who is not given as a referee, our basis for processing is the General Data Protection Regulation, Article 6, subparagraph 1, point (f), which permits processing that is necessary for the purposes of a legitimate interest that is not overridden by the interests or basic rights and freedoms of the data subject. This legitimate interest is finding the right candidate for the job.
You will not have to provide special categories of personal data in your application or at interview. This includes information on your religion, ethnic origin, political opinions, health or functional ability, pregnancy, care needs and similar, cf. the General Data Protection Regulation, Article 9. You may, however, provide such data if you wish. If you state that you have a functional impairment that will require your workplace or working conditions to be adapted, we have a duty to take this into account without discriminating against you or you feeling otherwise disadvantaged in any other way. Our basis for processing in relation to such data is the General Data Protection Regulation, Article 6, subparagraph 1, point (c), which permits processing that is necessary for compliance with a legal obligation, cf. Article 9, subparagraph 2, point (b), which permits processing that is necessary for us to fulfil our obligations in the area of employment law. In other cases, our basis for processing is the General Data Protection Regulation, Article 6, subparagraph 1, point (a), which permits processing where a data subject has given explicit consent for processing, cf. Article 9, subparagraph 2, point (a). You can withdraw your consent at any time. Withdrawing your consent will not affect the legality of the processing of your personal data that took place before you withdrew your consent.
At the entrance to Itera’s premises at street level and in other specified locations there are cameras and in some cases cameras with microphones to ensure that we do not allow unauthorised persons to enter our premises. The camera and microphone are activated manually when you request entry. The view of the entrance is shown in real-time, and the system does not have recording functionality.
Our basis for this processing is the General Data Protection Regulation, Article 6, subparagraph 1, point (f), which permits processing that is necessary for the purposes of a legitimate interest that is not overridden by the interests or fundamental rights and freedoms of the data subject. This legitimate interest is controlling access to Itera’s premises.
Itera has established Binding Corporate Rules for Processors (BCR-P) to provide Itera with a legal basis for transfer of personal data from Itera companies inside the EEA to Itera companies outside of EU/EEA. The BCR-P will apply to all personal data processed on behalf of Itera's customers. You can find a the BCR-P here, a list of members of the BCR-P here, and Itera’s assessment of transborder processing here.
Itera will ensure that the European rules on trans-border data flows are complied with when personal data are transferred to external processors (outside of the Itera group) located outside of EU/EEA or located in a country that is not recognised by the EU Commission as ensuring an adequate level of protection. Examples of such safeguards are Binding Corporate Rules, EU Standard Contractual Clauses or other applicable legal mechanisms.
Here is the letter of approval from the Norwegian Data Protection Authority with regards to Itera's BCR-P.
You can exercise your rights by sending an email to our Data Protection Officer using email@example.com, or by sending a letter to:
PO Box 4814 Nydalen
0422 Oslo, Norway
Attn: Data Protection Officer
You have a right to receive a response without undue delay and within one month at the latest. If you do not receive a response or you disagree with the response or otherwise feel that Itera has not fulfilled its obligations, we ask that you contact the Norwegian Data Protection Authority for assistance with your case.
Right of access to your own data
You can ask for a copy of all the data we process about you.
Rectification of your personal data
You can ask us to correct or add to any data that is incorrect or misleading.
Erasure of personal data
In given situations, you can ask that we erase data about you.
Restriction of processing of personal data
In some situations, you can ask us to restrict our processing of data about you.
Objecting to the processing of personal data
If we process data about you on the basis of our tasks or following an assessment of the balance of interests, you have the right to object to our processing of data about you.
If we process data about you on the basis of consent or a contract, you can ask us to transfer the data about you to you or to another data controller.
More information on your rights can be found on the website of your local data protection authority.
You can complain about our processing of personal data
We hope that you will tell us if you think that we are not complying with the rules of the Norwegian Personal Data Act. In the first instance please tell us via your contact person or the channel you already use to contact us. You can also contact our Data Protection Officer to ask for advice and guidance. Our Data Protection Officer is subject to a duty of confidentiality if you want to report a matter in confidence.
You can also complain about our processing of personal data. You can do this by contacting your local data protection authority.