Data Protection Policy.

All processing of personal data is regulated by the EU's General Data Protection Regulation (GDPR), which is implemented in all EEA countries.

"Personal data" refers to information and assessments that can be linked to or identify a physical person, such as name, phone number, address, email address, IP address, images, or an identification number.

The legislation sets strict requirements for the processing of personal data. To process personal data, clear defined purposes and a legal basis for the processing are required (such as the processing being necessary to fulfill a contract with you or that you have consented to the processing). Confidentiality and security, embedded privacy, assessment of privacy consequences, and requirements for us as a company to fulfill your rights are also required.

According to data protection legislation, the data controller is the one who determines the purpose of the processing of personal data and the tools to be used. In some cases, joint data controllership can also exist with third parties where the parties together determine the framework for processing. A data processor is the one who processes personal data on behalf of the data controller, and in such cases, there must be an agreement between the parties on the framework for processing. The local data protection authority supervises GDPR and additional national laws.

For more information about privacy, such as guides and contact information for the supervisory authorities that are most relevant to the Amesto companies, see: (link to website or resource)

Norge  Sverige  Danmark

Visitors

Visitors to Amesto’s premises may be asked to record their arrival by providing their name, contact information and if necessary the company they represent. This information is important in order to ensure that Amesto has control over who is present at our premises at any given time, and the legal basis for this is our legitimate interest in having such control. Information provided by visitors is stored for a limited period, unless a visitor consents to the information being stored for a longer period that is specified in the consent. Information about relevant storage periods is provided at each location.

Attending courses and participating in activities

Amesto offers a variety of courses and activities, both online and through actual attendance, where the relevant Amesto companies process information about participants, e.g. name, employer or other connection with us, title/role and contact information. The legal basis for processing is our legitimate interest in administering the course or activities concerned, and in order to document customer participation.

For customers such information is processed in line with ordinary customer processing. If you are not one of our customers, your information will be deleted one year after it was stored, unless you have consented to allowing us to process such information for future events. In such cases your information will be stored and possibly shared with others, in line with the relevant consent provided. 

For customers, such information is processed in line with ordinary customer handling. If you are not a customer with us, the information will be deleted one year after the event unless you have given consent to us retaining such information for future events. In that case, the information will be stored and potentially shared with others, in accordance with the relevant consent.

Suppliers and Business Partners

Amesto has several suppliers and business partners. To document, manage and carry out tasks related to them, we process personal data such as contact person, contact information, title and role, collaborative dialogue via various channels, as well as any login information to products and services that are part of the relationship. The legal basis for processing is to fulfill our agreement with the supplier or business partner, as well as our legitimate interest in managing such third parties.

We keep personal data as long as there is an active relationship with such a third party, and up to 3 years after the relationship ends to be able to follow up on necessary obligations or rights towards the relevant third party.

Customer Portal, chat and email

Amesto uses a customer portal, chat, and email as part of its daily work and in general communication with internal and external contacts.

The legal basis for this processing is our legitimate interest, as well as potential contractual and legal obligations.

Such dialogue is stored in our systems if necessary and relevant, for example for a customer relationship or other necessary documentation. This information is deleted in accordance with the deletion routines for the relevant relationship (such as the customer relationship) or the relevant documentation needs.

Our employees are responsible for deleting unstructured personal data in emails that are no longer current and for reviewing and deleting unnecessary content in their email inbox at least once a year.

It is also noted that regular email is unencrypted. Therefore, please do not send confidential, sensitive, or other confidential information to Amesto via email.

Amesto Trust Center

Amesto has an Amesto Trust Center to manage incident reporting and other mandatory information related to employees, critical matters, health, environment, safety, privacy, and other information security. Inquiries via the Amesto Trust Center also include requests for data subjects' rights when we act as data controller, and other general inquiries that are sent to us via the Trust Notification Form.

If you use the Amesto Trust Notification Form, personal information about you as the reporter will be stored, including your name and contact information, unless the form is submitted anonymously. The reporter enters information into a secure web form, which is then processed in our case management system by dedicated resources depending on the nature of the case. Personal information processed will be automatically deleted in accordance with defined retention schedules for various types of cases, personal information, and legal requirements.

The legal basis for such processing is to enable us to fulfil our legal obligations or is based on Amesto’s legitimate interest in processing any enquiries that you send to us.

General Information about our legal obligations

We process data in order to comply with our statutory obligations or decisions adopted by the authorities. This applies to, for example, the storage of accounting documents in accordance with local legislation, in order to comply with orders issued by the courts or other public authorities.  The legal basis for such processing is compliance with our statutory obligations, and we store such data in accordance with any relevant legal requirements.

General information about security

We need to process personal data in order to secure both your assets and those of Amesto. For example, this is done through access management, logging into servers and systems, and operating infrastructure, firewalls and access control.

The legal basis for such processing is primarily compliance with our legal obligations. The legal basis for processing may also apply to any commitments that are set out in agreements with our customers, as well as our legitimate interest in safeguarding both your and our assets. Storage times will be dependent on the purpose and legal basis for such processing.

Prevention and evaluation of criminal offences committed against Amesto

We use personal data to prevent, expose, clarify and deal with fraud and other criminal offences committed against Amesto, as well as any misuse of our services. The lawful basis for this processing is our legitimate interest in achieving the purpose as described. The storage period will depend on the specific purpose.

Complaint Process, Recourse Claims and Legal Proceedings

We use personal data to establish, exercise and defend legal claims, for example in connection with the processing of complaints, recourse claims and legal proceedings. The lawful basis for this processing is Amesto's legitimate interest in achieving the purpose as described. To fulfil this purpose it may in special cases also be necessary to process specific categories of personal data without consent. The storage period will depend on the specific purpose.

Disclosure of personal data in response to legal orders

To the extent required by law or judicial decree, or when necessary for the investigation of possible criminal offences against our company, relevant data may be disclosed to the public authorities or any other legitimate entities.

Processing of data by our suppliers

Suppliers who provide services for or on behalf of Amesto, or who assist us with the operation of the company, will normally be data processors and consequently be able to access personal data. Data processors may not use such data for purposes other than the purpose for which it was collected, and as determined by Amesto. Separate data processing agreements regulate all personal data that is shared with these suppliers.

In connection with business transfers

Personal data could in some cases be disclosed in connection with mergers, acquisitions, sales of Amesto assets or transfers of services to another company.

Disclosure of Personal Data to Countries outside the European Economic Area

In some cases we may use suppliers or partners that process personal data in countries outside the European Economic Area. In such cases we ensure that the data is transferred in accordance with this Data Protection Policy and in accordance with the applicable data protection legislation, and any approved standard agreements and certification schemes.

Amesto processes personal data in connection with recruitment primarily as a so-called data controller or joint data controller.

We act as a data controller when we process personal data which is sent to us with applications for jobs at Amesto.

In some cases Amesto may act as a joint data controller with a third party, e.g. recruitment company, and the third party and Amesto will jointly decide how to process the personal data concerned. In such cases the division of responsibilities, the purpose of processing and any aids that are to be used are specially regulated in a separate agreement about shared processing responsibilities.  The companies in the Amesto Group are joint data controllers of Amesto’s recruitment database.

The formal responsibility for processing personal data lies with the general manager of the Amesto company which is responsible for the processing concerned. Amesto has appointed its own chief privacy officer in order to help the group management to mange the group’s responsibilities, and a joint privacy officer has been appointed for the whole Amesto group. Contact information can be found at the bottom of this Data Protection Policy.  

Amesto may share personal data with any data processors who assist us in the recruitment process, such as recruitment companies that provide help with the assessment of candidates and providers of personality tests, etc. Such processing is regulated under separate data processing agreements with Amesto's specific instructions on how data processors process personal data.

Applications for specific jobs

Amesto processes the personal data that is necessary for assessing whether or not an applicant is suitable for filling the position that is vacant. Personal data which you provide in connection with recruitment is processed, including name and contact information, information about education, work experience and other qualifications, as well as any photos and video presentations that you share. As part of the recruitment process we may also search for further information about you online, including on social media. This is based on our legitimate interest in being able to assess your application and suitability for the job in question.

For some jobs it may be necessary to undertake credit checks, obtain police certificates and obtain details about other relevant posts. It may also be relevant to conduct ability and/or personality tests. If so, we will process the test results, as well as any technical information such as IP address and any login information which is specified in the test tool. If any of this is relevant for the job, any relevant applicants will receive more information in connection with the recruitment process, and the information will be processed on the basis of your consent. Providing consent is voluntary, but please be aware that if we need to process such information for the job in question and you refuse to give your consent, we will not be able to consider you for the job.

We will retain your application and all the information you give us in connection with the application process, as well as our own assessments of you in your capacity as an applicant, until the application process has been completed and for 3 months thereafter. However, please note that we will not store the actual content of any credit checks or police certificates, but only store the fact that such tests have been carried out and whether or not the candidate is still suitable for the job.

If you have applied for a particular job in one specific Amesto company, we will not share your personal data with other companies in the Amesto group without your consent. Please also see the information about our recruitment database below.

You can withdraw your application or your consent to the processing of personal data at any time by sending a request to the contact for the job or by using the Amesto Trust notification form.

Companies in the Amesto group process personal data about customers, potential customers and visitors on our social and digital media, primarily as so-called data controllers, and in some cases as joint data controllers.

We will provide more information about this below.

Our websites

When you visit our websites, we use cookies (also called information capsules). These are small files which are placed on your computer when you download a website. We categorise the use of cookies in the following areas:

• Essential cookies which are placed on your computer as soon as you visit an Amesto website. They are technically essential for enabling the website to function. Typical examples are screen functions and menus.
• Functional cookies such as preferred language or the region in which you are located.
• Cookies for analysis purposes in order to assess how the website is used and for identifying improvement potential.
• Cookies for marketing purposes such as Facebook pixels which enable us to display advertisements which are relevant and interesting for individual users.

Amesto’s websites do not place any cookies other than those that are necessary until you have given your consent in our cookies statement. They also provide information about how we store and share such cookies. You can amend your consent at all times in the bottom left-hand corner of our websites.

Browser providers also have help pages on how you can administer information capsules:

• Google Chrome
• Internet Explorer
• Mozilla Firefox
• Safari (PC)
• Safari (Mobil)
• Android Browser
• Opera

• Opera Mobile

Social media

Amesto has also created websites on various social media platforms in order to convey information and marketing details about the group, as well as involve us in discussions with interested parties. We share processing responsibilities with the operators of such platforms such as Amesto’s pages on Facebook, Instagram and LinkedIn. Amesto has a legitimate interest in understanding and communicating on social media with interested parties who have elected to follow us and contact us, while the relevant social media have their own legitimate interests as explained in their own privacy declarations.

If you visit, like or share our content on social media such as Facebook, Instagram, YouTube and LinkedIn, pixels are delivered in order to collocate data for targeted advertisements against the segment in question. This cannot be linked directly to you as an individual. You can read more here about how collocated data is used for displaying advertisements without the advertiser knowing who you are:

• Facebook og Instagram https://www.facebook.com/ads/about/?entry_product=ad_preferences
• LinkedIn
  https://www.linkedin.com/legal/privacy-policy
• YouTube (eies av Google) https://policies.google.com/privacy

Potensielle kunder

Potential customers

Answering enquiries: before a customer relationship is established, we process personal data such as name, employment conditions, title/role and whatever you are asking so that we can administer enquiries made to us. We will process and share personal data within the group so that we can answer enquiries to the best of our ability. This type of processing is based on an agreement to answer your enquiry. Such information is deleted immediately once your enquiry has been answered satisfactorily.

Establishing leads: based on our legitimate interests, we also develop an overview of potential customers and contacts based on publicly available information. Such information is stored for one year.

If you give consent once when you make enquiries with us, we will also register you as a lead and we will process your information in line with the relevant consent.

Kunder

Customers

When you or the company you work for are one of our customers, we process personal data so that we can document, administer and perform tasks in connection with our service deliveries. This could be in connection with customer surveys, customer service, to provide relevant and necessary information and invoicing, etc. We will process the name of the customer (which is personal data if you are a sole proprietorship), customer contact, including contact details, title and role and customer dialogue on various media, as well as any login information for products and services that are part of the customer relationship.  The legal basis for processing is to fulfil the agreement with the customer, as well as our legitimate interests in respect of managing the customer relationship.

We keep personal data in connection with customer relationships for as long the relationship with Amesto is active, and for up to 3 years after the relationship has ended, in order to safeguard our own interests and those of former customers.

Furthermore, on the basis of our legal obligations, Amesto can also store customer information in accordance with statutory requirements if such is specified in such documentation, e.g. items which have an accounting obligation.

Consolidated Customer Register

Amesto is a group consisting of several companies. We have a common Customer Register for customers in the Amesto TechHouse Group and the Amesto AccountHouse Group. The purpose of having a Consolidated Customer Register is to effectively administer our customer relationships and to coordinate consultancy, the provision of services and legal marketing across all of our companies. In our Customer Register we process and store customer information as described under “Customers” above, with the exception of customer dialogues which are not available across the board.

The Amesto companies are jointly responsible for processing material in the Consolidated Customer Register. The legal basis for processing and sharing basic information across our legitimate interests is to administer customer relationships and coordinate activities across the Amesto group.

Marketing

We process personal data in order to market our products and services. Our marketing activities include such things as segmentation of target audiences for marketing, marketing based on the purchase or use of our services, etc, sending out newsletters and other forms of legal marketing.

The legal basis for such processing is primarily our legitimate interest in marketing the Amesto group’s products and services. In some cases the legal basis will be consent. This applies primarily to the issue of electronic marketing (such as e-mail and SMS), to non-existent customers, from other Amesto group companies than with those with whom you have a direct customer relationship, or other situations where consent is required under applicable law.

Upon termination of a customer relationship, we will only use this information for direct online marketing if you have consented to this.

If you sign up for newsletters or select the option to download information such as checklists and White Papers, etc., we will process your personal data in accordance with the relevant consent.

You have access to your consent at the location where you initially gave such consent, where you can easily and at any time amend or withdraw your consent. You can also contact us on the Amesto Trust notification form.

Som eksisterende kunde kan du reservere deg mot at vi tar kontakt med deg.  Dette gjøres gjennom en tydelig merket «meld deg av» link i den aktuelle utsendelsen. Merk at du ikke kan reservere deg mot kritisk informasjon som vedrører kundeforholdet. Du kan også ta kontakt med oss gjennom Amesto Trust notification form.

Analyses and product development

We use collocated data for conducting analyses that help us to understand potential and existing customers' needs. We use such information for analysing how our products and services, as well as social and digital media, are used, so that we can further develop them in order to provide maximum value.

These types of activities are primarily aggregated (collocated) data, but in some cases they may also involve the processing of IP addresses. The legal basis for such processing is our legitimate interest in understanding and adapting ourselves to our customers’ needs in order to develop our products and services.

In addition to the processing described above, the Amesto companies may also engage in further processing and sharing of personal data in their capacity as data controllers in connection with their services areas.

Accountancy work

In our capacity as an accountancy company, we receive various information from our customers, including large quantities of personal data. Customers who are responsible for processing personal data forward such to us in our capacity as a data processor in line with the assignment contract and its accompanying data processing agreement.

Under the accountancy regulations, we are required to store assignment documentation. Assignment documentation consists of basic material relating to the work to be carried out, as well as documentation relating to the actual work. This might for example include received timesheets and information about deductions to be made from salaries, etc. Assignment documentation also consists of a certain amount of information and documentation about the customer, such as beneficial owners, whoever is acting on behalf of the customer and investigations about suspicious transactions subject to the Norwegian Money Laundering Act, etc.

In its capacity as an accountancy company Amesto is thus also responsible for processing such personal data which relates to customers. All storage of such information is governed by the Norwegian Accounting Act and its appurtenant regulations, generally accepted accounting principles and supporting legislation, e.g. the Norwegian Money Laundering Act.

This information is only shared with the customer, as well as the public authorities in accordance with special authority (e.g. the Norwegian Accounting Act, the Norwegian Tax Administration Act and the Norwegian Money Laundering Act). We store personal data in accordance with current statutory requirements, mainly for 5 years from the end of the year, or for as long as a customer relationship lasts and for up to 5 years after such relationships end.

Amesto works in a planned and systematic manner to protect personal data.

Through good internal control and great information security, we ensure that we process personal data lawfully, securely and properly.

We shall look after the rights and freedoms of the data subject, while also fulfilling the company’s lawful purposes of the processing. Under the data protection regulations, this requires a certain proportionality where we look at the nature, scope, purpose and context of the processing, as well as the risks to the rights and freedoms of natural persons, and on this basis implement appropriate technical and organisational measures.

Amesto is committed to preventing unauthorised access to and disclosure of personal data. We shall ensure that the personal data we process is processed confidentially, we shall maintain the integrity of the personal data as well as ensure that it is available in accordance with the applicable data protection legislation.

In Amesto we believe in building a strong corporate culture where openness, respect for and awareness about data protection for our employees are the fundamental principles for ensuring lawful processing and protection of personal data and other data. «It’s all a matter of trust». The following measures are especially important for us in this regard:

Organisational Measures:

• Amesto has its own Privacy Council that makes all strategic decisions, monitors and manages the group's data protection work.
• Amesto has its own Security Council that makes all strategic decisions, monitors and manages the group's security work.
• Amesto has dedicated people in the group that manage the responsibility for data protection in cooperation with the group management.
• Amesto has appointed a joint chief privacy officer for the group.
• All employees shall complete training in data protection and security.
• Awareness campaigns are being conducted on data protection and security for all employees.
• All Amesto employees sign a declaration of confidentiality about the information we receive in connection with our work.
• Internal control responsibilities have been established in the group with clear policies for how data protection should be handled, including privacy impact assessments, records of processing activities and other documentation.
• All subcontractors shall conclude a data processing agreement with Amesto which ensures an unbroken chain of requirements for data protection and information security.

Technical Measures:

• Classification of personal data to ensure that the security measures implemented are in proportion to the assessment of risk.
• Consider using encryption and pseudonymisation as risk-reducing measures.
• Restrict access to personal data to those who need access in order to fulfil their duties under service agreements or legislation.
• Use systems that remedy and prevent data breaches.
• Use security audits to continuously assess whether current technical and organisational security measures are adequate.

Physical measures:

• Our premises are protected by access control.

You have the right to demand access to, rectification or erasure of the personal data we process concerning you. You also have the right to demand restricted processing, object to the processing and demand the right to data portability. You can read more about what these rights include on the supervisory authority pages of the respective countries:

Norway              Sveden           Denmark

In order to exercise your rights you can register your request by submitting an enquiry to us on the Amesto Trust notification form.

his will also provide guidance on your submission. We will respond to your request as soon as possible and no later than within 30 days unless special circumstances exist (in which case you will be notified by us).

We will ask you to verify your identity or to provide further information before we allow you to exercise your rights towards us. We do this to ensure that we only give you access to your personal data and not to someone who claims to be you.

You shall have access to your consents where the consents were first given, and you shall be able to change or withdraw your consents at any time. If you have any questions about a consent, please contact us by submitting a request on the Amesto Trust notification form.

f you believe that our processing of personal data does not correspond to what we have described here or that we have otherwise violated the data protection legislation, we hope you will contact us as soon as possible.

Amesto wants all incidents and data breaches that could affect your privacy or information security to be reported to us by submitting a request on the Amesto Trust notification form. 

We have tried to make it easy to complete this form and it contains good guidance as you work your way through it. All enquiries submitted to the Amesto Trust are handled and followed up in our processing system for dedicated data protection resources in accordance with our internal procedures. When you file a case with us you will also receive information about how you can contact us in order to follow up your case.

You can also contact our chief privacy officer directly, please find the contact details below.

You can also submit an appeal to the local data protection authorities. Information about how to contact data protection authorities can be found on their respective websites.

Norway              Sweden           Denmark

Periodically, we need to update this Data Protection Policy in order to provide you with correct information about the way we process personal data. If any significant changes are made, we will inform you about them on our websites and customer portals and in any newsletters.

For questions related to this data protection policy or other data protection questions, you can always contact us by submitting a request via the Amesto Trust notification form.

You can also use the following contact details:

Tel.: +47 922 03 214

E-post: amestotrust@amesto.no (please avoid sending personal data in insecure e-mails)