Amesto Group

Data Protection Policy.

Amesto takes data protection seriously and all personal data shall be secure with us.  Here you will find information about what data we process about you, including how and why we collect and use the data, as well as how we safeguard security, your rights and the rules contained in the data protection legislation.

Amesto is a group of legal entities that crosses national borders. We provide products and services to private and public enterprises in several countries. Amesto's head office is located in Oslo and the Amesto Group is subject to European data protection legislation. This data protection policy was last updated on April 20, 2020.

1. INFORMATION ABOUT DATA PROTECTION LEGISLATION

All processing of personal data is governed by the EU’s data protection regulation, the General Data Protection Regulation (GDPR), which has been implemented in all EEA countries.

"Personal Data" is information and assessments that may be linked to or identified with a natural person, e.g. name, telephone number, home address and e-mail address, IP address, photos or an identification number.

The legislation sets strict standards for the processing of personal data. To process personal data requires, among other things, a clearly defined purpose and a lawful basis for the processing (for example that the processing is necessary to fulfil an agreement with you or that you have consented to the processing). There are also requirements relating to confidentiality and security, built-in data protection, assessment of data protection consequences and requirements for us as a company to comply with your rights.

According to the data protection regulations the data controller is the entity that determines what the purpose should be for the processing of personal data and what means should be used. In some cases it is also possible to be a joint data controller with third parties where the parties jointly determine the processing framework. A data processor is the entity that processes personal data on behalf of the data controller and there must then be an agreement between the parties about the processing framework.

The local Data Protection Authority oversees GDPR and supplementary national legislation.  For more information about data protection, such as guidelines and contact information for the supervisory authorities that have the greatest relevance for the Amesto companies, please refer to:

Norway    Sweden    Denmark

2. WHAT TYPES OF PERSONAL DATA ARE PROCESSED, WHY, HOW AND FOR HOW LONG?

2.1 How we process your personal data

Data control

Companies in the Amesto act as data controllers when processing personal data in various situations. Further information about this can be found in this Data Protection Policy.

The formal responsibility for processing personal data lies with the general manager of the Amesto company which is responsible for the processing concerned. Amesto has appointed its own chief privacy officer in order to help the group management to mange the group’s responsibilities, and a joint privacy officer has been appointed for the whole Amesto group. Contact information can be found at the bottom of this Data Protection Policy.

We collect and use personal data for various purposes and with different processing bases, depending on the relationship you or your company has with us, your preferences and any consents. We store personal data for as long as might be required in order to comply with the statutory purpose for which is has been collected, after which it is deleted or anonymised. We will provide more information about this below.

Information is primarily received from you or it is publicly available. If we share information with others, we explain this when undertaking the processing in question.

Data processor

Amesto also processes personal data on behalf of customers. This applies, for example, when we process personal data about our customers’ customers or our customers’ employees in connection with the provision of our services. In such cases Amesto is not regarded as being a data controller, even though we are involved in processing the personal data in question. In such cases the customer is responsible for the processing of data, while Amesto acts as the data processor who only processes information on behalf of the customer. In such cases Amesto’s processing of personal data is regulated by the company’s data processing agreement with the customer, as well as by any processing instructions issued by the customer. If you have any questions about this, please refer to the relevant service website or contact the relevant Amesto company which provides the service in question.

 

2.2 General processing activities

Visitors

Visitors to Amesto’s premises may be asked to record their arrival by providing their name, contact information and if necessary the company they represent. This information is important in order to ensure that Amesto has control over who is present at our premises at any given time, and the legal basis for this is our legitimate interest in having such control. Information provided by visitors is stored for a limited period, unless a visitor consents to the information being stored for a longer period that is specified in the consent. Information about relevant storage periods is provided at each location.

Attending courses and participating in activities

Amesto offers a variety of courses and activities, both online and through actual attendance, where the relevant Amesto companies process information about participants, e.g. name, employer or other connection with us, title/role and contact information. The legal basis for processing is our legitimate interest in administering the course or activities concerned, and in order to document customer participation.

For customers such information is processed in line with ordinary customer processing. If you are not one of our customers, your information will be deleted one year after it was stored, unless you have consented to allowing us to process such information for future events. In such cases your information will be stored and possibly shared with others, in line with the relevant consent provided. 

Suppliers and partners

Amesto has a number of suppliers and partners. In order to document, administer and undertake work in connection with these, we will process personal data such as contacts, contact information, title and role, collaborative dialogue in various media and any login information relating to products and services which are included in the relationship.  The legal basis for such processing is compliance with our agreement with the supplier or partner concerned, as well our legitimate interest in administering such third parties.

We store personal data for as long as we have an active relationship with such third parties, and for up to 3 years after the relationship ends in order to follow up any necessary commitments or rights towards such third parties.

Customer portals, chats and e-mails

Amesto uses customer portals, chats and e-mails as part of its daily work and for engaging in general dialogues with internal and external contacts.

The legal basis for this processing is our legitimate interest as well as any potential contractual and legal obligations.

Such dialogues are stored in our systems if such is necessary and relevant, e.g. in respect of a customer relationship or other necessary documentation. Such information is deleted in accordance with the deletion procedures relating to the relationship concerned (e.g. the relationship with the customer) or the actual need for documentation.

Our employees are responsible for deleting unstructured personal data in e-mails which are no longer relevant, and for going through and deleting any unnecessary content in their e-mail boxes at least once per year.

Please also note that normal e-mails are not encrypted. You should therefore not send confidential, sensitive or other classified information to Amesto by e-mail.

Amesto Trust Centre

Amesto has an Amesto Trust Centre for dealing with the reporting of data breaches and other information that is subject to notification relating to employees, suspected wrongdoings, health, environment and security, data protection and other information security. Enquiries submitted to the Amesto Trust Centre also include enquiries about data subjects’ rights when we are responsible for processing and other general enquiries sent to us on the Amesto Trust notification form.

If you use the Amesto Trust notification form, personal data concerning you as a registrant will be stored, including your name and contact information, unless the form is submitted anonymously. The registrant enters the information into a secure web form, which is then processed in our processing system of dedicated resources depending on the nature of the matter. Personal data that is processed is automatically deleted in accordance with defined deletion procedures for the different types of issues, personal data and legal requirements. 

The legal basis for such processing is to enable us to fulfil our legal obligations or is based on Amesto’s legitimate interest in processing any enquiries that you send to us.

General Information about our legal obligations

We process data in order to comply with our statutory obligations or decisions adopted by the authorities. This applies to, for example, the storage of accounting documents in accordance with local legislation, in order to comply with orders issued by the courts or other public authorities.  The legal basis for such processing is compliance with our statutory obligations, and we store such data in accordance with any relevant legal requirements.

General information about security

We need to process personal data in order to secure both your assets and those of Amesto. For example, this is done through access management, logging into servers and systems, and operating infrastructure, firewalls and access control.

The legal basis for such processing is primarily compliance with our legal obligations. The legal basis for processing may also apply to any commitments that are set out in agreements with our customers, as well as our legitimate interest in safeguarding both your and our assets. Storage times will be dependent on the purpose and legal basis for such processing.

Prevention and evaluation of criminal offences committed against Amesto

We use personal data to prevent, expose, clarify and deal with fraud and other criminal offences committed against Amesto, as well as any misuse of our services. The lawful basis for this processing is our legitimate interest in achieving the purpose as described. The storage period will depend on the specific purpose.

Complaint Process, Recourse Claims and Legal Proceedings

We use personal data to establish, exercise and defend legal claims, for example in connection with the processing of complaints, recourse claims and legal proceedings. The lawful basis for this processing is Amesto's legitimate interest in achieving the purpose as described. To fulfil this purpose it may in special cases also be necessary to process specific categories of personal data without consent. The storage period will depend on the specific purpose.

2.3 General information about sharing personal data

Disclosure of personal data in response to legal orders

To the extent required by law or judicial decree, or when necessary for the investigation of possible criminal offences against our company, relevant data may be disclosed to the public authorities or any other legitimate entities.

Processing of data by our suppliers

Suppliers who provide services for or on behalf of Amesto, or who assist us with the operation of the company, will normally be data processors and consequently be able to access personal data. Data processors may not use such data for purposes other than the purpose for which it was collected, and as determined by Amesto. Separate data processing agreements regulate all personal data that is shared with these suppliers.

In connection with business transfers

Personal data could in some cases be disclosed in connection with mergers, acquisitions, sales of Amesto assets or transfers of services to another company.

Disclosure of Personal Data to Countries outside the European Economic Area

In some cases we may use suppliers or partners that process personal data in countries outside the European Economic Area. In such cases we ensure that the data is transferred in accordance with this Data Protection Policy and in accordance with the applicable data protection legislation, and any approved standard agreements and certification schemes.

2.4 Special information about recruitment

Amesto processes personal data in connection with recruitment primarily as a so-called data controller or joint data controller.

We act as a data controller when we process personal data which is sent to us with applications for jobs at Amesto.

In some cases Amesto may act as a joint data controller with a third party, e.g. recruitment company, and the third party and Amesto will jointly decide how to process the personal data concerned. In such cases the division of responsibilities, the purpose of processing and any aids that are to be used are specially regulated in a separate agreement about shared processing responsibilities.  The companies in the Amesto Group are joint data controllers of Amesto’s recruitment database.

The formal responsibility for processing personal data lies with the general manager of the Amesto company which is responsible for the processing concerned. Amesto has appointed its own chief privacy officer in order to help the group management to mange the group’s responsibilities, and a joint privacy officer has been appointed for the whole Amesto group. Contact information can be found at the bottom of this Data Protection Policy.  

Amesto may share personal data with any data processors who assist us in the recruitment process, such as recruitment companies that provide help with the assessment of candidates and providers of personality tests, etc. Such processing is regulated under separate data processing agreements with Amesto's specific instructions on how data processors process personal data.

Applications for specific jobs

Amesto processes the personal data that is necessary for assessing whether or not an applicant is suitable for filling the position that is vacant. Personal data which you provide in connection with recruitment is processed, including name and contact information, information about education, work experience and other qualifications, as well as any photos and video presentations that you share. As part of the recruitment process we may also search for further information about you online, including on social media. This is based on our legitimate interest in being able to assess your application and suitability for the job in question.

For some jobs it may be necessary to undertake credit checks, obtain police certificates and obtain details about other relevant posts. It may also be relevant to conduct ability and/or personality tests. If so, we will process the test results, as well as any technical information such as IP address and any login information which is specified in the test tool. If any of this is relevant for the job, any relevant applicants will receive more information in connection with the recruitment process, and the information will be processed on the basis of your consent. Providing consent is voluntary, but please be aware that if we need to process such information for the job in question and you refuse to give your consent, we will not be able to consider you for the job.

We will retain your application and all the information you give us in connection with the application process, as well as our own assessments of you in your capacity as an applicant, until the application process has been completed and for 3 months thereafter. However, please note that we will not store the actual content of any credit checks or police certificates, but only store the fact that such tests have been carried out and whether or not the candidate is still suitable for the job.

If you have applied for a particular job in one specific Amesto company, we will not share your personal data with other companies in the Amesto group without your consent. Please also see the information about our recruitment database below.

You can withdraw your application or your consent to the processing of personal data at any time by sending a request to the contact for the job or by using the Amesto Trust notification form.  

You can also read more about your rights under section 4.

 

Open applications in our recruitment database

If you would like Amesto to keep your personal data in order to consider your expertise in respect of other jobs in the Amesto group, you can give special consent for this when you apply. Our recruitment database stores the personal information you have already provided, including your name and contact information, information about your education, work experience and other qualifications, and any photos and video presentations you share with us. Our recruitment database also stores any statements made by referees, background checks, internal assessments and interview reports, as well as personality and ability tests. Personal data which is transferred to our recruitment database and which is based on your consent can only be shared with the relevant functions in all the companies in the Amesto group.

We only want to receive open applications on our recruitment database. If you send us an open application by e-mail, we will refer you to our recruitment database.

If you consent to us storing your personal data in our recruitment database, this will be stored for 360 days, calculated from the time you gave your consent. After that all your personal data will be deleted. If you wish to withdraw your consent, you can send us a request on the Amesto Trust notification form.

2.5 Special information about digital media, customers and marketing

Companies in the Amesto group process personal data about customers, potential customers and visitors on our social and digital media, primarily as so-called data controllers, and in some cases as joint data controllers.

We will provide more information about this below.

Our websites

When you visit our websites, we use cookies (also called information capsules). These are small files which are placed on your computer when you download a website. We categorise the use of cookies in the following areas:

  • Essential cookies which are placed on your computer as soon as you visit an Amesto website. They are technically essential for enabling the website to function. Typical examples are screen functions and menus.
  • Functional cookies such as preferred language or the region in which you are located.
  • Cookies for analysis purposes in order to assess how the website is used and for identifying improvement potential.
  • Cookies for marketing purposes such as Facebook pixels which enable us to display advertisements which are relevant and interesting for individual users.

Amesto’s websites do not place any cookies other than those that are necessary until you have given your consent in our cookies statement. They also provide information about how we store and share such cookies. You can amend your consent at all times in the bottom left-hand corner of our websites.

Browser providers also have help pages on how you can administer information capsules:

 

Social media

Amesto has also created websites on various social media platforms in order to convey information and marketing details about the group, as well as involve us in discussions with interested parties. We share processing responsibilities with the operators of such platforms such as Amesto’s pages on Facebook, Instagram and LinkedIn. Amesto has a legitimate interest in understanding and communicating on social media with interested parties who have elected to follow us and contact us, while the relevant social media have their own legitimate interests as explained in their own privacy declarations.

If you visit, like or share our content on social media such as Facebook, Instagram, YouTube and LinkedIn, pixels are delivered in order to collocate data for targeted advertisements against the segment in question. This cannot be linked directly to you as an individual. You can read more here about how collocated data is used for displaying advertisements without the advertiser knowing who you are:

 

Potential customers

Answering enquiries: before a customer relationship is established, we process personal data such as name, employment conditions, title/role and whatever you are asking so that we can administer enquiries made to us. We will process and share personal data within the group so that we can answer enquiries to the best of our ability. This type of processing is based on an agreement to answer your enquiry. Such information is deleted immediately once your enquiry has been answered satisfactorily.

Establishing leads: based on our legitimate interests, we also develop an overview of potential customers and contacts based on publicly available information. Such information is stored for one year.

If you give consent once when you make enquiries with us, we will also register you as a lead and we will process your information in line with the relevant consent.

 

Customers

When you or the company you work for are one of our customers, we process personal data so that we can document, administer and perform tasks in connection with our service deliveries. This could be in connection with customer surveys, customer service, to provide relevant and necessary information and invoicing, etc. We will process the name of the customer (which is personal data if you are a sole proprietorship), customer contact, including contact details, title and role and customer dialogue on various media, as well as any login information for products and services that are part of the customer relationship.  The legal basis for processing is to fulfil the agreement with the customer, as well as our legitimate interests in respect of managing the customer relationship.

We keep personal data in connection with customer relationships for as long the relationship with Amesto is active, and for up to 3 years after the relationship has ended, in order to safeguard our own interests and those of former customers.

Furthermore, on the basis of our legal obligations, Amesto can also store customer information in accordance with statutory requirements if such is specified in such documentation, e.g. items which have an accounting obligation.

 

Consolidated Customer Register

Amesto is a group consisting of several companies. We have a common Customer Register for customers in the Amesto TechHouse Group and the Amesto AccountHouse Group. The purpose of having a Consolidated Customer Register is to effectively administer our customer relationships and to coordinate consultancy, the provision of services and legal marketing across all of our companies. In our Customer Register we process and store customer information as described under “Customers” above, with the exception of customer dialogues which are not available across the board.

The Amesto companies are jointly responsible for processing material in the Consolidated Customer Register. The legal basis for processing and sharing basic information across our legitimate interests is to administer customer relationships and coordinate activities across the Amesto group.

 

Marketing

We process personal data in order to market our products and services. Our marketing activities include such things as segmentation of target audiences for marketing, marketing based on the purchase or use of our services, etc, sending out newsletters and other forms of legal marketing.

The legal basis for such processing is primarily our legitimate interest in marketing the Amesto group’s products and services. In some cases the legal basis will be consent. This applies primarily to the issue of electronic marketing (such as e-mail and SMS), to non-existent customers, from other Amesto group companies than with those with whom you have a direct customer relationship, or other situations where consent is required under applicable law.

Upon termination of a customer relationship, we will only use this information for direct online marketing if you have consented to this.

If you sign up for newsletters or select the option to download information such as checklists and White Papers, etc., we will process your personal data in accordance with the relevant consent.

You have access to your consent at the location where you initially gave such consent, where you can easily and at any time amend or withdraw your consent. You can also contact us on the Amesto Trust notification form.

As an existing customer you can opt out from us contacting you.  This is done by using a clearly marked “unsubscribe” link in the relevant newsletter. Please note that you cannot opt out from any critical information which relates to your customer relationship. You can also contact us on the Amesto Trust notification form.

 

Analyses and product development

We use collocated data for conducting analyses that help us to understand potential and existing customers' needs. We use such information for analysing how our products and services, as well as social and digital media, are used, so that we can further develop them in order to provide maximum value.

These types of activities are primarily aggregated (collocated) data, but in some cases they may also involve the processing of IP addresses. The legal basis for such processing is our legitimate interest in understanding and adapting ourselves to our customers’ needs in order to develop our products and services.

2.6 Special associated service areas

In addition to the processing described above, the Amesto companies may also engage in further processing and sharing of personal data in their capacity as data controllers in connection with their services areas.

Accountancy work

In our capacity as an accountancy company, we receive various information from our customers, including large quantities of personal data. Customers who are responsible for processing personal data forward such to us in our capacity as a data processor in line with the assignment contract and its accompanying data processing agreement.

Under the accountancy regulations, we are required to store assignment documentation. Assignment documentation consists of basic material relating to the work to be carried out, as well as documentation relating to the actual work. This might for example include received timesheets and information about deductions to be made from salaries, etc. Assignment documentation also consists of a certain amount of information and documentation about the customer, such as beneficial owners, whoever is acting on behalf of the customer and investigations about suspicious transactions subject to the Norwegian Money Laundering Act, etc.

In its capacity as an accountancy company Amesto is thus also responsible for processing such personal data which relates to customers. All storage of such information is governed by the Norwegian Accounting Act and its appurtenant regulations, generally accepted accounting principles and supporting legislation, e.g. the Norwegian Money Laundering Act.

This information is only shared with the customer, as well as the public authorities in accordance with special authority (e.g. the Norwegian Accounting Act, the Norwegian Tax Administration Act and the Norwegian Money Laundering Act). We store personal data in accordance with current statutory requirements, mainly for 5 years from the end of the year, or for as long as a customer relationship lasts and for up to 5 years after such relationships end.

3. HOW WE PROTECT DATA?

Amesto works in a planned and systematic manner to protect personal data.

Through good internal control and great information security, we ensure that we process personal data lawfully, securely and properly.

We shall look after the rights and freedoms of the data subject, while also fulfilling the company’s lawful purposes of the processing. Under the data protection regulations, this requires a certain proportionality where we look at the nature, scope, purpose and context of the processing, as well as the risks to the rights and freedoms of natural persons, and on this basis implement appropriate technical and organisational measures.

Amesto is committed to preventing unauthorised access to and disclosure of personal data. We shall ensure that the personal data we process is processed confidentially, we shall maintain the integrity of the personal data as well as ensure that it is available in accordance with the applicable data protection legislation.

In Amesto we believe in building a strong corporate culture where openness, respect for and awareness about data protection for our employees are the fundamental principles for ensuring lawful processing and protection of personal data and other data. «It’s all a matter of trust». The following measures are especially important for us in this regard:

Organisational Measures:

  • Amesto has its own Privacy Council that makes all strategic decisions, monitors and manages the group's data protection work.
  • Amesto has its own Security Council that makes all strategic decisions, monitors and manages the group's security work.
  • Amesto has dedicated people in the group that manage the responsibility for data protection in cooperation with the group management.
  • Amesto has appointed a joint chief privacy officer for the group.
  • All employees shall complete training in data protection and security.
  • Awareness campaigns are being conducted on data protection and security for all employees.
  • All Amesto employees sign a declaration of confidentiality about the information we receive in connection with our work.
  • Internal control responsibilities have been established in the group with clear policies for how data protection should be handled, including privacy impact assessments, records of processing activities and other documentation.
  • All subcontractors shall conclude a data processing agreement with Amesto which ensures an unbroken chain of requirements for data protection and information security.

Technical Measures:

  • Classification of personal data to ensure that the security measures implemented are in proportion to the assessment of risk.
  • Consider using encryption and pseudonymisation as risk-reducing measures.
  • Restrict access to personal data to those who need access in order to fulfil their duties under service agreements or legislation.
  • Use systems that remedy and prevent data breaches.
  • Use security audits to continuously assess whether current technical and organisational security measures are adequate.

Physical measures:

  • Our premises are protected by access control.

4. WHAT ARE YOUR RIGHTS WHEN WE PROCESS PERSONAL DATA

You have the right to demand access to, rectification or erasure of the personal data we process concerning you. You also have the right to demand restricted processing, object to the processing and demand the right to data portability. You can read more about what these rights include on the supervisory authority pages of the respective countries:

Norway         Sweden        Denmark

 

In order to exercise your rights you can register your request by submitting an enquiry to us on the Amesto Trust notification form. This will also provide guidance on your submission. We will respond to your request as soon as possible and no later than within 30 days unless special circumstances exist (in which case you will be notified by us).

We will ask you to verify your identity or to provide further information before we allow you to exercise your rights towards us. We do this to ensure that we only give you access to your personal data and not to someone who claims to be you.

You shall have access to your consents where the consents were first given, and you shall be able to change or withdraw your consents at any time. If you have any questions about a consent, please contact us by submitting a request on the Amesto Trust notification form.

5. APPEALS, BREACHES AND INCIDENTS

If you believe that our processing of personal data does not correspond to what we have described here or that we have otherwise violated the data protection legislation, we hope you will contact us as soon as possible.

Amesto wants all incidents and data breaches that could affect your privacy or information security to be reported to us by submitting a request on the Amesto Trust notification form. We have tried to make it easy to complete this form and it contains good guidance as you work your way through it. All enquiries submitted to the Amesto Trust are handled and followed up in our processing system for dedicated data protection resources in accordance with our internal procedures. When you file a case with us you will also receive information about how you can contact us in order to follow up your case.

You can also contact our chief privacy officer directly, please find the contact details below.

You can also submit an appeal to the local data protection authorities. Information about how to contact data protection authorities can be found on their respective websites.

Norway        Sweden         Denmark

6. CHANGES

Periodically, we need to update this Data Protection Policy in order to provide you with correct information about the way we process personal data. If any significant changes are made, we will inform you about them on our websites and customer portals and in any newsletters.

7. CONTACT INFORMATION

For questions related to this data protection policy or other data protection questions, you can always contact us by submitting a request via the Amesto Trust notification form.

You can also use the following contact details:

Amesto Group attn: Chief Privacy Officer
PO Box 6395
0604 Etterstad

Tel.: +47 922 03 214 

E-mail: amestotrust@amesto.no (please avoid sending personal data in insecure e-mails)