Most businesses handle personal data in some sort of way, due to the mere fact that they employ people. The digitalisation of society has however led to it now being gathered and processed much larger amounts and new types of personal data. This applies in particular to processing for commercial purposes.
Customer and user data is compiled and managed through apps, internet and other e-communication platforms, and is increasingly used in target marketing, development of new services, sale of data and user information etc.
At the same time, the regulation of data protection is rapidly changing. EU’s General Data Protection Regulation (GDPR) enters into force in Norway in May 2018, and imposes stricter regulation on the companies’ control of processing activities through, inter alia, comprehensive requirements for how personal data is used and for the internal procedures and processes that companies’ must have. Moreover, new strict sanctions are introduced for non-compliance or breach of the regulation.
Overall, this leads to a greater recognition of the value inherent in possessing and being able to utilise personal data, and of the value in complying with the applicable regulations.
Our assistance is aimed at being value adding and having a pragmatic approach. Our starting point is not the registered (the person which the information regards), but the requirements of the user, i.e. the one who wish to use the personal data – in compliance with applicable regulations.
Our team provides assistance on personal data protection in all business areas, typically including;
1) Preparation of required documentation and agreements, such as:
- Documentation and content of routines and procedures required to become and stay GDPR compliant
- Preparation of data processing agreements for transfer of personal data both nationally and internationally (f.ex. by outsourcing or use of consultancy services or IT services).
- Preparation of data processing agreements tailored to transfer personal data between companies within the same group
- Privacy Policies
- Policy terms
- Drafting of consent declarations (consent from the person providing the personal data)
- Data protection clauses in employment agreements, IT-agreements etc.
2) Questions concerning personal data protection in other relations:
- Use of personal data for marketing purposes, customer and loyalty programmes, profiling etc. (EU has proposed new regulations for e-communication and marketing (ePrivacy Regulation) including correspondingly strict sanctions for breach)
- Treatment (including storage and deletion) of data on employees and inspection of employee e-mails
- Management of non-compliance (security breach etc.)
- Transfer of personal data to countries outside of the EU/EEA (Privacy Shield, Binding Corporate Rules, EU’s standard agreements)
- Dialogue and disputes with/before the Norwegian Data Protection Authority/public authorities
- Questions related to personal data often constitute a small part of a client’s project or activities.
BAHR’s broad expertise allows us to identify issues and advise on adjoining areas, such as regulations on marketing or financial services. At the same time, we are committed to ensuring that privacy issues do not get greater – or less – attention than necessary to realise the client’s commercial purpose.