1. Who is responsible?
DUVI AS is the data controller for the processing of personal data as described in this Policy.
DUVI AS (“DUVI”, «we», “us”) are committed to ensuring your privacy. DUVI processes your personal data in accordance with applicable data protection regulations, including the Norwegian Personal Data Act and the EU/EEA General Data Protection Regulation, (GDPR). DUVI has entered into contracts with external companies regarding data processing.
2. What is the purpose of collecting and processing your personal data?
We are only allowed to collect personal data for certain purposes regulated by law (including the Norwegian Personal Data Act and the GDPR). The data can only be used for the purposes they were collected for.
The purposes for collecting the data are, among others, to fulfill contractual obligations to our customers. For the duration of the contract, we use the personal data to document, manage and deliver the services agreed upon.
The legal basis for the use of the data for these purposes is either that it is considered to be necessary to fulfill contractual obligations to you as a customer, or, if you are employed by a customer of DUVI – a company that has a defined contribution pension plan with us – to fulfill our obligations as specified in the employer’s contract with us.
Another purpose is to provide service, frequent updates, and communications with our customers. We use customers’ personal data for marketing purposes, to build customer profiles and for product- and customer analyses.
We do this to be able to offer you the best, most relevant and customized services. The legal basis for using the data for these purposes is found in the GDPR, article 6.
Personal data make it possible for us to report to the government in accordance with Norwegian laws, e.g. for tax purposes. The legal basis for this use of your personal data is our statutory obligations according to Norwegian law and governmental requirements.
We need your permission to use your personal data in certain ways. Among them are special classes of data (e.g. information about your health); if we share information about you with our business partners; or when we send you information about products and services you are not subscribed to. You can withdraw your permission to use your data for some of these purposes by contacting us at firstname.lastname@example.org.
3. Confidentiality and security
We process your personal data in accordance with applicable data protection regulations. Only dedicated persons in DUVI have access to your personal data. We will share the data with third parties only when it is necessary to provide our services to you or to the extent we are obligated to do so by statutes or regulations, or for other purposes if or when you have given us permission to do so.
4. Which categories of data do we process?
Your personal data might include e.g. your national identity number (personnummer), name, address, zip code, country, phone number, email address and your accumulated pension plan funds from present or previous employers.
In addition, we have information about your current pension plan including investments, additional funds transferred, annual payments to you (pensions), the annual return on investments and costs/fees.
If your current employer has a pension plan with us, we also collect and update information about your salary, position, sick leave or other leave of absence from work, as well as the pension plan or other products included in the agreement with your employer.
5. From where do we collect your personal data?
In general, we collect the information from you and from your employer (when the employer is our client). At times we collect information from other sources, both private and public, e.g. corrections to your address from the Norwegian National Registry (Folkeregisteret).
We inform you when we collect information about you, except when the collection is required by law, if it is impossible or very difficult to reach you, or if we know that you have been previously informed about this data collection.
6. Is it mandatory to provide DUVI with this information?
Whenever possible, the collection and processing of your personal data is based on your consent. We have an obligation to provide the information you need to be able to give us such consent, to understand what you’re consenting to, and possible consequences for you. It is voluntary to provide us with this information. If we collect the information directly from you, we will inform you that it is voluntary to give it to us. However, in accordance with our license as a defined contribution pension plan manager, we are to a certain degree authorized to handle your personal data without your consent.
7. How and when do we give third parties access to your personal data?
DUVI gives external parties (contractors) access to your personal data, e.g. to provide us with IT services. This is regulated by data processing agreements. These external parties are prohibited from utilizing the data for any other purposes than those they are collected for.
Some of the data processors are established in countries outside the EU/EEA.
In the event personal data is transmitted to such countries, DUVI will make sure to take necessary steps in accordance with applicable data protection law to ensure that your personal data is handled securely and with the sufficient security level, equivalent to and on the same level as the protection offered within the EU/EEA area.
In circumstances where we act as agents for products that you or your employer purchase through us but are provided by others, we act as a data processor in accordance with the provider’s license and data protection policies, and specific data processing agreements. We will, when necessary, transfer information about you to such contractors.
8. How are personal data stored and deleted?
We will delete personal data when they are no longer necessary to carry out the purpose of the collection and processing. This means that as long as you are a customer of DUVI, we store the information. When the customer relationship is terminated, we keep the information until the statute of limitations expires for each product included in your contract with us. We do this in case of future demands from you in connection with your pension plan.
Your personal data can be processed for other purposes when you give your consent or when there is a legal base for such processing. We want, for instance, to keep relevant statistical data about our members and retirees for a long-term perspective.
Personal data that we collect and process based on your consent will be deleted if you withdraw your consent. The storage of DUVI’s reviews, decisions or other actions based on information collected with your consent are permitted even if your consent is withdrawn later.
If you request an offer or ask for information, we keep the information you have submitted in connection with this for 90 days. This applies if you are not already a customer of Duvi.
9. Your rights
You are entitled to access the personal data that DUVI collects and processes about you as well as information about how we collect and process it. Most of the information we have collected is available on your personal page on our website, minside.duvi.no. There you’ll also find your customer profile where you can see the information we have about you, and where you can change your consent(s).
It is important that the information we have stored about you is correct, and that it is necessary for our contract with you and our ability to provide good service. You can request that we correct or delete information that is incorrect or unnecessary.
DUVI will delete personal data when they are no longer necessary to carry out the purpose of the collection and processing. This means that as long as you are a customer of DUVI, we store the information. When the customer relationship is terminated, we keep the information until the statute of limitations expires for each product included in your contract with us. We do this in case of future demands from you based on your pension plan.
Your right to object to the processing of personal data
For some purposes, DUVI uses your personal data based on weighing our interest as a company against your interest as our customer. Examples of this are using the data for marketing purposes, testing IT systems, and the development of new products and services.
If there are special circumstances indicating that DUVI should not be allowed to process your personal data for such purposes, please contact us. In such cases, we will balance the different interests: DUVI will continue processing the information if we deem it necessary to decide, apply or defend a legal claim, or if we have compelling, justifiable reasons for the continued processing. If you don’t want DUVI to utilize your personal data in marketing efforts directed towards you, you can opt-out by sending an email to our customer service department (email@example.com). You must tell us if you want to opt-out from any or all of email, phone, and paper mail. We will continue to send you mandatory information even after you opt-out of our marketing. If you are/become an employee of a company which is or becomes a customer of DUVI, you will receive information from us in accordance with that contractual relationship.
Under certain circumstances, you can demand that DUVI limits how we process your information. If implemented, this means that DUVI will continue to store your data, but all other processing of the data must be temporarily paused.
Sample reasons for pausing the processing:
- if you think your personal data is incorrect
- if DUVI wants to delete the data, but you need them for legal requirements
- if you have complained about our processing and we are weighing your interest against ours
Sample reasons for continuing the processing regardless:
- if it is deemed necessary to determine, enforce or defend legal claims, or
- to protect the rights of others, or
- on account of compelling public interests
In accordance with legal requirements, DUVI has implemented measures to comply with the laws and regulations regarding satisfactory information security. All agreements entered into with suppliers/contractors about data processing and which includes the processing of personal data, outline security measures to safeguard confidentiality, integrity, and accessibility for the processing of personal data. The customer information is stored in an internal database in DUVI and at subcontractors and is secured against unauthorized access, alteration, destruction or dissemination. We constantly monitor which of our employees are authorized to access the database and seek to maintain good administrative and technical measures to protect the information.
11. Safe communication
In accordance with legal requirements regarding the handling of personal data, we have implemented safe communication by making sure that the national identification number (personnummer) and copies of identification documents are no longer being sent via unsecured e-mail.
12. About the Company's Privacy Information on our website (and blog)
Privacy and Cookies
When you use our services, DUVI stores information about you and your computer in cookies in your browser.
A cookie is a small text file that is left on your computer when you come to our website. Information you enter yourself can be linked to your user profile, and we will also store the IP address of the machine you are using. In addition, other information is stored, such as the time, so we can check when you were last logged in and adjust our service accordingly.
How to handle cookies in your browser
On https://nettvett.no/ you’ll find information about how to set your browser to accept/reject cookies and get tips for safer Internet use.
It is possible to subscribe to newsletters from us to receive the latest blog posts. For this purpose, we register your email address. The legal basis is your consent. You can withdraw this consent at any time by sending an email to firstname.lastname@example.org. Your email address is not shared with other businesses and is deleted when we are told that you do not want to continue receiving information from us. The information is also deleted if we receive feedback that the email address is no longer active.
Social media and blog features
Our site includes social media features, including sharing buttons for Facebook, LinkedIn and Twitter. Such features can register your IP address and which page you open on our site, and they can store cookies to enable features to work as intended.
Social media features are operated either by a third party or directly on our site. Your use of such features is subject to the privacy statement of the company providing them. In addition, DUVI has a blog where users are invited to leave comments. In order to publish the comments, the user must provide a name and email address. The blog comments will be stored as part of the discussion on the blog.
DUVI also sends information by email to those who are employed by companies that are our customers. To unsubscribe from these emails, you can click on the unsubscribe link at the bottom of the email. However, we will still send you the information that is required by laws regulating these agreements.
13. Contact information
If you would like to contact us about our privacy practices, please write to us as follows:
Attn. Compliance Department
Adolph Tidemands gate 55
N – 2000 Lillestrom, Norway
You can also email us at email@example.com
14. The right to file a complaint
If you believe that our processing of personal data is not in accordance with what we have described here or that we in other ways violate the privacy laws, you can complain to the Data Protection Authority (www.datatilsynet.no).
Ønsker du å motta et uforpliktende pristilbud for din bedrift? Legg igjen din kontaktinfo og en av våre ansatte vil ta kontakt med deg.