Chapter III of the GDPR grants extensive rights to the data subjects. Two of the most important rights are the right of information and the right of access to the information the controller processes concerning the data subject.
In the following Bisnode will present more information regarding your rights as a data subject, together with general information about the personal data that we process as controllers.
2. Right of access to personal data
The right of access to personal data means that you have the right to ask Bisnode to confirm whether or not we process your personal data, and, where that is the case, access to the personal data.
To ensure that we provide the personal data to the correct individual, we have to verify the identity of the data subject prior to giving access. The easiest way to do this is to log in with BankID to our access portal where you will have access to the personal data we process about you.
Should you not wish to do this, you can send a copy of your identification papers to us and we will send you the requested information.
3. Bisnode's processing of personal data as controllers
As controllers, Bisnode Norge AS processes personal data for the following purposes; Credit information, Data brokering and directory services. Bisnode is part of the Bisnode group with offices in 19 European countries and personal data may be exchanged between the different legal entities in the Bisnode group on the basis of data processing agreements and shared services. Currently, Bisnode Norge AS has no processing acitivities in which we are joint controllers with another legal entity.
Below we will give general information of the personal data we process as controllers as part of our services, including the purposes, legal grounds, sources, and storage periods for said processing.
3.1. Credit information
Bisnode has a license from the Norwegian Data Protection Authorities (Datatilsynet) to process personal data for the purpose of credit reporting. The legal ground for this processing is GDPR article 6 (2), cf. the old personal data provision section 4-511.
1 With the implementation of the GDPR the old data protection provision was replaced, but the section regarding credit reporting was continued by Overgangsregler om behandling av personopplysninger § 4.
The personal data we process for this purpose and the sources we collect this data from are listed in appendixes 1 and 2.
The purpose of the credit reporting database is to provide accurate and up to date credit information to relevant stakeholders whenever the data subejcts requests. As such, it is necessary to retain your personal data for as long as necessary to facilitate credit report. However, specific credit information, meaning negative information regarding unpaid bills from collection agencies (betalingsanmerkninger) etc. will not be used for credit reports longer than four years.
After four years, the specific credit information is moved to our historical archives where it is stored for another six year (ten years in total) for the purpose of creating statistics and analysis before it is deleted
Every time Bisnode sends a credit report to a client, a notification letter is sent to the data subject. Through our online access portal you can also see a list of all companies that have accessed your personal data for credit reporting services in the last six months.
3.2. Data brokering
Bisnode processes personal data for the purpose of providing data brokering services. Data brokering means that contact information is provided from an address broker (such as Bisnode) to businesses, for example a banks, insurance companies, auto repair shops or non profit organizations who wish to use this information to send marketing inquiries, or for polling and opinion purposes.
Datatilsynet has previously concluded that the use of basic data (contact information) in connection with data brokering and direct marketing can have a basis for processing in what is called "legitimate interest" (GDPR Article 6.1.f).
- It is Bisnode’s opinion that we have a legitimate interest in providing the data brokering services as this is both in the interest of our clients and their customer.
- It is Bisnode’s opinion that we have a legitimate interest in providing the address brokerage service as it has both a social and commercial interest.
- Bisnode's customers will also have a legitimate interest in marketing their products and/or conducting surveys/market research.
Additionally, it is a requirement of the companies who uses the personal data from Bisnode for marketing purposes to provide information about where the information was taken from (source marking), and the data subjects the right to obejct to the processing. Against this background, the individual is considered to be well protected from intrution to their freedom and fundmental rights.
- Bisnode's data brokering database contains information about individuals' names, addresses, telephone numbers, gender and date of birth (basic data). However, address lists will always contain at least one personal data in addition to the so-called basic data. This is a natural consequence of the fact that one always knows where the address lists come from, ie which register the information is taken from.
According to Datatilsynets practice, the processing of this additional information will, as a general rule, not be particularly infringing on the privacy of the data subejcts, and thus can be justified by "legitimate interest". Furthermore, Datatilsynet has previously stated that information from the Motor Vehicle Register can also be used for marketing purposes. Thus, it is possible to segment the lists based on information obtained from the Motor Vehicle Register, for example a notification prior to annual EU check on your car.
In line with Datatilsynets practice, the source of our data brokering database is the name and address data from the Norwegain tax lists from 2004, which was the last to be disclosed as public data. Information received from the Norwegian Tax Agency as of 2005 does not include our address brokering database.
The basis of address is continuously updated with information from Norway Post's address register, reservation register, Motor Vehicle Register, number information, telephone providers, information on deaths from the National Register etc, and is today updated for addresses and telephone numbers.
For the purpose of polling, the information is obtained from the Norwegian Property register (formerly the GAB register). This gives an overview of all official addresses in Norway. Bisnode Norway then inserts the names and telephone numbers of the addresses with information from our directory information database. Market and opinion polling companies are completely dependent on being able to access representative excerpts from the Norwegian population in order to carry out measurements. In this connection, it is pointed out that conducting market and opinion polls are social services and absolutely essential for social debate and research.
The purpose of processing personal data for data brokering services is to provide addresses to be used in marketing effort by our clients. As such, it is necessary to store the personal data untuil the data subject requests to be deleted from the data base.
Data subjects have the right to obtain from the controller information of “the recipients or categories of recipients” the data has been/will be disclosed to. The wording does not differentiate between the two options, and it is Bisnode’s view that a risk based approach suggests that for our data brokering services, information of the categories of recipients of data is adequate.
Reference is made to the fact that the personal data that is processed is of a less intrusive nature in addition to being publicly available information. Furthermore, there is a requirement for each of the recipients to mark Bisnode as the source of data whenever they send a marketing effort to the data subject on the basis of information from Bisnode. In addition, all companies must also provide their data subjects with information of the sources of their data.
For Bisnode’s data brokering services, the categories of recipients the data is disclosed to are businesses in the field of finance, (banks, lenders, insurance companies etc.), autorepair shops, retail, etc.
3.3. Directory services
Bisnode is registered with the National Communications Authority (NKOM as a provider of directory services. Bisnode thus processes personal data for the purpose of offering directory services in order to assist companies and other entities with correct and updated contact information for their registries. Bisnode’s directory services businesses in the field of finance, (banks, lenders, insurance companies etc.), auto repair shops, retail, political parties, non-profit organisations etc.
Datatilsynet has previously concluded that the processing of personal data for directory services can be considered as "legitimate interest" (GDPR Article 6.1.f).
- It is Bisnode’s opinion that we have a legitimate interest in providing data quality using our directory services. It is our analysis that this is both in the interest of our clients and their customer.
- In Bisnode’s opinion, we have a legitimate interest in providing the directory services as it has both a social, and commercial interests.
- Bisnode’s customers of directory services also have a legitimate interest in updating their customer registries or other forms of registries. There are also socioeconomic considerations that indicate that directory information can be exchanged to secure updated address registers.
- The risk to the rights and freedoms of the data subjects does not, in Bisnode’s opinion, outweigh the legitimate interest in this case.
- Reference is made to the fact that it is only contact information that is being processed, and that no clear risk to the rights and freedoms of the data subject.
In line with section 6-3 of the Ecom Regulations Bisnodes sources the following data from telephone operators for the purpose of offering directory services:
- Unique ID; date of birth or organization number
- User's last name, first name and middle name for personal users or company names. When the legalowner of the subscription and user is not the same, only the user's name should be transferred
- Street name or postal address
- House number
- Zip code
- Telephone number, including the main number when registered or reported by the end user
- Type of use, ie whether the number is used for landline, mobile phone or fax.
Because the purpose of directory service is to ensure data quality n, the data is stored until the data subject requests to be deleted.
Data subjects have the right to obtain from the controller information of “the recipients or categories of recipients” the data has been/will be disclosed to. The wording does not differentiate between the two options, and it is Bisnode’s view that a risk based approach suggests that for our directory services, information of the categories of recipients of data is adequate.
Reference is made to the fact that the personal data that is processed is of a less intrusive nature. Furthermore, all companies must also provide their data subjects with information of the sources of their data.
4. Automated decisionmaking/profiling
As controllers, Bisnode does not process personal data for the purposes of automated decision making, including profiling as per GDPR article 22. Bisnode has statistical information on the Norwegian population which in itself does not constitute “personal data”. As data processors for some of our clients, we couple this statistical data with the client’s personal data to perform what is known as “profiling”.
In some instances, our clients will use this profiling in their automated decision making. As it will be our clients who are controllers for this processing of personal data, any request for access or insight into the logic behind the profiling must be forwarded to the clients.
Reference is here made to the fact that our clients have an obligation to inform the data subjects about the profiling they perform as controllers.
5. Data portability
GDPR grants data subjects the right to “data portability” for the personal data which the data subject has provided to the controller where the processing is based on consent or on a contract and the processing is carried out by automated means.
Bisnode’s processing of personal data in relation to our services are not based on consent or contract. Therfore, the right of data portability does not apply to the personal data that we process as part of our services.
6. Right to rectification
If any of the data Bisnodes processes concerning you is inaccurate, you have the right to request that the data be rectified. You also have right to have incomplete personal data completed, including by means of providing a supplementary statement.
7. Right to object and the right to be forgotten
You have the right to object, at any time, to Bisnode’s processing of personal data concerning him or her which is based on ”legitimate interests” or ”consent”. This means that you have the right to object to Bisnode’s processing of personal data for the purposes of data brokering and/or directory servies.
You also have the right to request that Bisnode deletes the data we process concerning you for data brokering and/or directory services.
However, because Bisnode receives regular updates from public registries, from which data subejcts can not request deletion, we have to store your name and address in order to ensure that your we do not collect your information again. In these instances, your name/address will only be processed to ensure we respect your request to be deleted, and will not be processed for that particular service
For credit reporting services, data subjects can not request deletion as none of the condictions in article 17 of the GDPR apply.
However, data subjects can object to credit information being disclosed to other parties. This is done thorugh what is called a credit freeze, which means that if a company tries to perfrom a credit check on you, they are only informed that you have enabled a credit freeze.
8. Contact details for Bisnode and our data protection officer
If you wish to request access to the personal data we process concering you, or obejct to the processing as described in section seven of this document, this can be done through our online access portal.
If you do not wish to access this portal, or you have any other requests/compalints.
You can also send a letter to Bisnode Norge AS, Postboks 1419 Vika, 0115 Oslo.
9. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority. For Norway, this would be Datatilsynet. Their address is Datatilsynet, Tollbugata 3, 052 Oslo.