Privacy Policy

Norsk Solar is committed to ensuring the protection and privacy of personal information processed by the Company. In this perspective, Norsk Solar shall ensure compliance with GDPR and all relevant data protection regulations/ that at all times apply to our business and operations. The purpose of this policy is to define Norsk Solar’s responsibilities for the protection and privacy of personal information.

Policy Applicability

This policy applies to Norsk Solar, all its employees (including outsourced staff, temporary hires, and trainees/interns), and any subsidiaries carrying out business within the EU and EEA.

What is GDPR and personal information?

GDPR is an EU regulation on data protection and privacy in the EU and EEA areas. The primary purpose is to give individuals control over their data and to simplify the regulatory environment for international business by unifying the regulation within the EU and EEA markets. It also addresses the transfer of personal data outside the EU and EEA areas.

GDPR applies to all companies that are processing the personal information of individuals inside the EU/EEA (regardless of its location and the individual/data subjects' citizenship or residence).

Applicable laws and regulations

Norsk Solar is subject to the Norwegian Data Protection Act (“Personopplysningsloven, LOV-2018-06-15-38”), which implements the GDPR requirements.

Any subsidiaries outside of Norway will be subject to the relevant GDPR in the jurisdiction where the subsidiary processes personal data.

Data Protection Principles

In Norsk Solar, all Personal Data shall be:

  • Processed lawfully, fairly, and in a transparent manner concerning individuals.
  • Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes.
  • Adequate, relevant, and limited to what is necessary concerning the purposes for which they are processed.
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay.
  • Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organizational measures required by the GDPR to safeguard the rights and freedoms of individuals; and
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures.”
  • Lawful, Fair, and transparent processing

Should the number of employees in Norsk Solar exceed 250, a Processing Inventory containing the type of personal information that the Company processes, the purpose of the processing, and the cleaning requirements shall be established.

The Processing Inventory shall in such case be maintained by the compliance function.

  • Lawful purposes
  • All personal data processed by Norsk Solar must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests.
  • Subject to clause 7, Norsk Solar shall note the appropriate lawful basis in the Processing Inventory.
  • Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
  • Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be available and systems should be in place to ensure such revocation is reflected accurately in the Charity’s systems.
  • Data Minimisation

Norsk Solar shall ensure that personal data are adequate, relevant, and limited to what is necessary concerning the purposes for which they are processed. Norsk Solar shall therefore not collect or archive personal data beyond what is needed for each specific processing.

Accuracy

Norsk Solar shall take reasonable steps to ensure personal data is accurate.

Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.

Archiving and Data Deletion

To ensure that personal data is kept for no longer than necessary, Norsk Solar shall put in place an archiving procedure for the areas in which personal data are processed, and review this process annually.

The archiving procedure shall take into account the reasons why Norsk Solar needs to process the data, as well as any legal or contractual obligations to keep the data for a fixed period, and by defining what data should/must be retained, for how long, and why.

The Company shall on an annual basis confirm that the deletion or anonymization of personal data that is due to be cleaned or anonymized has been completed.

Security and Security Breach

Norsk Solar shall ensure that personal data is stored securely using software that always meets industry standards and that such software is kept up to date.

Access to personal data shall be limited to personnel who need access, and appropriate security shall be in place to avoid unauthorized access to personal data.

When personal data is deleted this should be done safely such that the data is irrecoverable. An alternative solution to deleting the data is to anonymize the data.

Appropriate backup and disaster recovery solutions shall be in place.

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data, Norsk Solar shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the applicable regulator.