Frequently asked questions
Find answers on your questions
What is personal information?
All information about you, whether in written or spoken form, is considered personal information. This could include your name, age, height, what you study, who your parents are, which bank you use, or which football team you support. All of this is information (data) about you as an individual.
What is privacy?
Privacy is about you having control over your own life and who should know about it. Only you (or your parents if you are under 16 years old) decide who should have information (e.g., name, date of birth, address, gender...) about you.
What does GDPR mean?
GDPR stands for General Data Protection Regulation. It means that Europe, along with Norway, has established rules for what companies can collect, store, process, and ask you about as a customer/consumer. When you are online or using social media, you might not think much about what information you are giving away, but GDPR is designed to protect and assist you as an individual in a technology-filled society!
What types of personal information exist?
After the General Data Protection Regulation (GDPR), which is incorporated into the Personal Data Act, we can say that there are "ordinary" (regular) personal data and sensitive personal data. Under the law, sensitive personal data is referred to as "special categories of personal data."
Ordinary personal data includes: Name, address, national identification number, phone number, family, employment, education, and similar information.
NB! Although the national identification number is not considered sensitive, we recommend at EYD that you protect the last five digits extra carefully. If you send the national identification number (last five digits) via email, make sure to encrypt the email through settings.
Sensitive personal data includes: Political opinions (party affiliation or voting preferences), sexual orientation (heterosexual, bisexual, homosexual etc.), religious beliefs (Muslim, Christian, atheist etc.), trade union membership, genetic information, health information, and more.
NB! When your employer/other entities collect and process such information, specific requirements for handling apply. In short, some of the requirements are:
- Explicit consent must be given (the consent cannot be ambiguous but clear and explicit) from the person providing the information.
- The processing must be genuinely necessary. For example, a hospital cannot provide blood until they are 100% certain that the patient is indeed who they believe it is.
- The processing has strong protection. This is to prevent sensitive information from being compromised. For example, two-factor authentication, logging in via public registers, or approved protective methods.
- There are clear risk and vulnerability assessments, in addition to a clear action plan if the information is compromised or accessed by unauthorized parties. This can be done through a Privacy Impact Assessment or a prior consultation with the authorities (Data Protection Authority). The reason for this is that the information holds significant value for the individual, and therefore, it must be protected with extra care!
- If your company is large, public, collaborates with public authorities, or processes substantial amounts of data, then you should consider whether you need a Data Protection Officer (DPO). It is a role responsible for ensuring compliance with and overseeing data protection regulations in line with the company's objectives and scope.
Which rights do I have?
All individuals have rights concerning personal information. Rights mean you have the right to know, see, or receive something concerning you and your information. This includes, among other things, access (that you are allowed to see what a company has written about you), correction (that you should be allowed to change the information a company has written about you), or deletion (that you should be allowed to request that information be deleted from a company or system)."
Is there anything else I should be concerned with regarding personal information?
If you believe or know that a company, app, program, or game has very intimate and personal information about you, you can ask the company about how well they protect it. For example, not everyone likes to have information about their illness, sexuality, political affiliation, or religious beliefs disclosed. You can usually find the company's contact information on their website. When you send them a letter/email, try to be specific about what you are asking about so that it is easier for the company to locate your information.
How does a company know that they have information about me and not someone else?
That is a good question! Verifying (confirming) that it is actually you they have information about is part of the company's job to know! There are several ways to confirm identity. Examples include the use of BankID, authentication apps, or phone/SMS sent to you so that you can say 'Yes, this is me' when someone logs in with your name, phone number, username, or email.
Should I be concerned that a company collects information about me?
"No. In Norway, there are generally strict requirements for collecting information, and Europe (EU/EØS) has collectively established rules on how this should be done. There have also been many popular series, documentaries, and movies about such data collection, which have made people more concerned about privacy than ever before. Nevertheless, EYD recommends that you pay attention to how companies collect and use your information.
Datatilsynet (Norwegian Data Protection Authority) has observed that several international companies do not comply with the rules agreed upon in Europe, and in some cases, these companies have to pay fines for breaching the regulations. These fines are often substantial, and the companies also risk reputational damage."
If you are located outside the EU/EØS countries, for example, if you live in the US, Asia, South America, Canada, Russia, the Middle East, or similar regions, there are specific precautions and requirements for storing and transferring personal information. The reason for these heightened requirements is that when the EU/EØS has stringent demands and security protocols for handling personal data, there is no guarantee that other countries necessarily have the same level of protection.
For instance, recently, the USA obtained approval from the EU Commission for its data transfer rules, which means that certain companies in the USA can receive and process personal data if they are included on an "approved list."
Who is EYD?
EYD is a company specializing in privacy and information security. We offer various services and solutions to help businesses and organizations comply with privacy requirements and protect personal data.
EYD works to deliver comprehensive solutions that include access services, consulting, privacy management, and training. Our services are designed to assist businesses in managing privacy challenges, complying with regulations, and building trust with customers and partners.
Through our expertise and experience in privacy, EYD contributes to ensuring that businesses can process personal data legally, efficiently, and transparently.
Why should I choose EYD?
Why not? EYD does not compete against anyone. EYD and several companies aim to achieve a common goal, namely providing better information to you and your rights as a user of stores, apps, companies, programs, games, and systems.
Is encryption good?
Yes. Encryption is a form of protection. If a company encrypts your information, it is to prevent others from accessing the information. However, for you or the company to view the information, someone must have an encryption key that can unlock the "door" to the information.
How much do companies know about me?
How big is a fish? It is difficult to answer exactly how much a company knows about you, but we can turn it around. For example, if you are going to receive offers from a store you like, the store needs to know at least your email or phone number. However, 'minimum' is the keyword here. A company should not know more about you than what is absolutely necessary. Usually, the information a company needs about you is your name, email, and/or phone number.
Am I being monitored on the internet?
Both yes and no. The information you have provided on various websites and apps can be traced back to you. Additionally, if you have allowed location services (your geographical location) to be enabled, certain websites/apps can know where you are in the world and what IP address you have. Some websites can also recognize patterns, meaning how you typically behave on the internet, so they can offer you content (videos, images, and text) that you are most likely to enjoy. This is called algorithms. Algorithms work in such a way that if you like sports and watch mostly sports-related content, you will also receive advertisements for more sports, sports events, and athletes. This is because you leave cookies on the websites.
What are cookies?
Cookies! Just kidding. They are called cookies because they can be compared to being in the kitchen, finding a really delicious cookie, and then eating a bit or breaking it in half, causing cookie crumbs to fall on the floor. Then, you walk into the hallway because you want to pet your dog while eating. On the way from the kitchen to the hallway, you can see cookie crumbs everywhere that you have spilled. The cookie crumbs are an example of the traces you leave behind on the internet. These traces reveal where you've been, what you usually look at, and what you click 'like' on.
Can I delete photos and texts of me from the internet?
Yes, you should be able to do that. The company, website, or app that has information about you should delete the information about you if you want.
How do I transfer data to a country outside the EU?
The European Commission has created a list of countries with an adequacy decision. This means countries to which you can transfer data as if they were EU/EEA countries.
Other transfer mechanisms may include a country providing guarantees through standard data protection provisions established by the European Commission. If you create your own agreements, that is also possible, but it must be approved by the Data Protection Authority and the European Data Protection Board.
Additionally, you must have a legal basis for the data transfer, ensuring that the recipient country is capable of safeguarding the personal data you provide.
Does my company need a data processing agreement?
Many companies today require a data processing agreement to ensure that both parties are obligated to protect and manage personal data securely. The most common examples are when your company collaborates with an IT supplier for system solutions or an HR supplier for recruitment, payroll, and operations. These arrangements must be established through an agreement between your company and the supplier.
You can contact us at EYD anytime if you have any questions about data processing agreements.
A data processing agreement is about having an agreement between you and your supplier, such as IT solutions, HR solutions, educational materials (or other services), on how personal data should be transferred and protected.
There are many difficult words within privacy. What does data controller mean?
We at EYD agree with you! There are many difficult words and expressions. EYD is working on creating a glossary and a video where we explain the various terms. To start with the first (and perhaps most important) one: Data Controller.
When GDPR arrived in 2018, one of the biggest changes was that data controllers were required to have a more clear external responsibility role. This means that regardless of how your organization is structured, whether there are multiple companies under the same umbrella or if the company is the "responsible" one, for example, concerning financial loss or legal documents, it is still the data controller who is responsible for personal data. Behind every company, initiative, foundation, and organization, there are individuals who have created the business. In short, a person cannot absolve themselves of the responsibility for personal data.
What is a Data Protection Officer (DPO), and does my company need one?
There are several provisions or conditions that require your company to have a Data Protection Officer. A Data Protection Officer is a person who assists the data controller in ensuring that personal data is processed in a secure, transparent, accessible, confidential, and proper manner. However, the data controller is ultimately responsible for the processing itself, but a Data Protection Officer has the processing of personal data as their main task.
If the organization is public, it must have a Data Protection Officer. Public organizations include municipalities, the Armed Forces, libraries, schools, and similar entities.
If the organization's main purpose is to process personal data, where the nature or extent of the personal data is significant, then a Data Protection Officer is required. The term "nature" may apply to personal data about children or individuals with criminal history or other somewhat "special" categories. The "extent" refers to the volume of personal data being processed.
Lastly, if your organization processes special categories of personal data, such as ethnic origin, sexual orientation, health information, medical history, political opinions, and similar information that we all consider more discreet and not always desirable for everyone to know, there must be a Data Protection Officer in the organization.
What does access mean?
To explain it in short terms, the right of access is for:
Individuals have the right to access and receive a copy of their personal data, known as a subject access request (SAR). SARs can be made verbally, in writing, or through social media, and can also be made by a third party on behalf of someone else. Normally, you cannot charge a fee for handling a request. You should respond promptly within one month of receiving the request, but this can be extended by two months for complex requests or multiple requests from the same individual. Conduct a reasonable search for the requested information and provide it in an accessible and secure manner. You can refuse to provide the information if certain exemptions or restrictions apply, or if the request is unfounded or excessive.
Who does the right of access apply to?
You and your personal information (personal data). Also, Children's Privacy and Consent in Online Services are important regarding The Right to Access:
When a company offers online services or information directly to a child, they need to follow specific rules about handling the child's personal data. If the child is at least 16 years old, the company can process their personal data without any issues under Article 6(1). However, if the child is under 16 years old, the company can only process their data if they have obtained consent from a parent or someone who has parental responsibility for the child.
Different countries within the EU can set their own age limit, but it cannot be below 13 years for processing the personal data of children.
In practical terms, this means that if parents want to access their child's information when the child is between 12 and 16 years old, they must have a valid reason. Children have their own interests that should be respected. Once the child turns 16 years old, they are considered capable of giving consent and can decide who can access their personal information.
Be aware that nations can have different age restrictions.
How can I request access?
You fill out a form, which is the easiest way for a company to know who you are and what information you are requesting. There is no requirement for them to know the reason for your request for access. An example of a form asking for access is this: Access Request Template.
However, it is possible that the company you are requesting access from may not have this exact template. In that case, we recommend calling them or sending an email. The company must respond to your request in any case.
What happens when you request access to your personal data?
The company that receives a phone call, letter, or email from you is obligated to assist you in making this information available to you. As a general rule, the company should do this for free, and you should receive a decision on your access request within 30 days.
Are there any times when I do not have the right to access?
Yes. There are some exceptions to the right of access. This may, for example, be the case when the information you want access to infringes on the rights of others. This could be a chat log/email you have with others or if there are other individuals in a picture/text, or similar situations. The company may also attempt to redact/remove parts of the information so that you only get access to what concerns you, but this can often take a long time and be extensive. Exceptions may also apply when a document is subject to confidentiality obligations or if the document is classified under security regulations according to the Security Act.
Where can I find the rules about access?
When it comes to personal data, you can find the rules in the Personal Data Act, which incorporates the General Data Protection Regulation (GDPR). Article 15 of the GDPR covers the rules about access.
The first point deals with WHAT you have access to (letters a-h). In the second point, it explains the guarantee the company has to provide you with information if they transfer the data to countries outside the EU. The third point states that you have the right to receive a copy of the processed personal data. The fourth point emphasizes that the copy you receive should not have a negative impact on the rights and freedoms of others.
Can a company receive a fine for not following the rules?
Yes. Companies, large and small, that process personal data must adhere to the rules set forth by the General Data Protection Regulation (GDPR). The Data Protection Authority can issue warnings, fines, and orders for changes if they discover any violations.
An example of data transfer to another country is when Ferde (a toll road company) transferred information about Norwegian motorists to China (a third country) without conducting a risk assessment or informing the individuals.
The company that you have requested information from is obligated to correct any information that can be linked to your identity.
I have a very common name, how do I know if they have registered me and not someone else, or vice versa?
The company is obligated to have solutions that ensure they know who they are dealing with or storing information about. This can be achieved through logging in with BankID or other secure methods of authentication, or by communicating with you through platforms. While many processes may have been automated in your workplace, you are the sole owner of your identity, and you have the right to ensure this by requesting access to information about you.
How does EYD work with access?
Is there something more I should know about access?
You should be well-equipped with the information provided above! However, remember that the right of access applies only to you (or your child), and it should not negatively impact anyone else. Be specific about what information you want to access, even on a detailed level if you know which systems (Microsoft Excel, Skype, Discord, etc.) the company uses. The clearer and more organized your request for access is, the easier (and faster) it will be for the company to process your inquiry.
When does the right to access come into effect?
In Norway, the right to access comes into effect under different laws and regulations. For instance, the public access law (offentleglova) ensures transparency in all public activities. If you are mentioned in a case, you have the right to access relevant information through administrative law (forvaltningsloven). Additionally, the personal data law (personopplysningsloven) grants you the right to access information processed about you as an individual.
What if there are conflicting considerations between two laws?
If a case you are involved in falls under multiple laws, the rule is that the most specific legislation that applies to your case takes precedence over more general legal rules. Furthermore, there is a principle that newer rules take precedence over older rules. Fortunately, the General Data Protection Regulation (GDPR) and the Personal Data Act are quite recent from a legal-historical perspective.
How do you protect the data of our customers?
We take the security of your customer data very seriously. We implement several measures to ensure that your information is safe and protected:
Encryption: We use advanced encryption technology to protect customer data during transmission and storage. This ensures that the information is only accessible to authorized parties.
Access Control: We have strict measures to limit access to customer data. Only authorized individuals with a need for access have permission to handle this data.
Security Updates: We continuously update and maintain our security systems to protect against known vulnerabilities and threats. This includes installing security updates and patches as soon as they become available.
Monitoring: We closely monitor our systems to detect and respond to any security incidents.
Training and Awareness: We provide training to our staff on best practices in data security and privacy. This helps us maintain a culture of high awareness around security and helps reduce the risk of accidental data leaks or mishandling.
We are committed to protecting your customer data and maintaining a high level of security through these measures and the continuous improvement of our security infrastructure.
Where do you store customer data?
We securely store your data in Azure Blob Storage located in the West Europe region. This ensures that your information is stored close geographically and complies with the current privacy laws and regulations in this region.
This means that your data is processed in accordance with strict security standards and guidelines established for the protection of personal information in West Europe.
What encryption methods do you use?
We ensure the security of your information by using both asymmetric and symmetric encryption.
Asymmetric encryption prevents unauthorized individuals from reading or modifying your data and is used to establish a secure communication channel and exchange keys in a safe manner.
Symmetric encryption transforms data into an unreadable form that can only be decrypted with a specific key.
We combine both methods to achieve high security and protection of your data.
What happens if I suspect that my account has been compromised?
If you suspect that your account has been compromised, we encourage you to take the following actions immediately:
Change your password: Change the password for your account immediately. Choose a strong and unique password that you have not used before.
Account information: Review and update all relevant account information, including email address, phone number, and security questions.
How is the website secured?
We secure our website by implementing several security measures, including the use of TLS (Transport Layer Security) and HTTPS (Hypertext Transfer Protocol Secure). This ensures that all communication between users and our website is encrypted and protected from unauthorized access and interception. We also conduct regular security assessments and updates to maintain a reliable security infrastructure.
I have discovered a security vulnerability on your website, what should I do now?
We appreciate that you have discovered a security vulnerability on our website, and we encourage you to contact us immediately by sending an email to firstname.lastname@example.org. Please describe the details of the security hole and include any relevant information, such as screenshots or steps to reproduce the error.
We have established a ".well-known/security.txt" page where we have published security contact information and guidelines. Additionally, as a token of appreciation for your help, individuals who find security vulnerabilities and report them to us will be included in our "Hall of Fame" as recognition for their contributions to improving the security of our website.