1. Introduction

1.1           Purpose

Arctic Bioscience AS (“Arctic”, “we”, “us”) is committed to data protection. It lies in the core of our business to keep data and communication confidential and to process it with care and diligence.

This Policy serves as a manual for our processing of personal data in accordance with Norwegian data protection law including the EU General Data Protection Regulation 2016/679 (GDPR). The terms used in this document shall have the meaning as defined in the GDPR.

This Policy has three sections:

  • Governing part: Our data privacy organisation and governing principles.
  • Operative part: Our data privacy guidelines and procedures for implementation of the governing principles and applicable data privacy laws. Some guidelines and procedures may be set out in separate documents, referred to in this Policy.
  • Controlling part: Our routines for auditing and monitoring compliance with the data privacy guidelines/procedures and applicable data privacy laws.

1.2           Scope

This Policy applies to the processing of personal data wholly or partly by automated means and non-automated processing of personal data that forms part of a filing system.

Personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or other factors specific to the identity of that person. Prosessing of personal data is not a part of our core business; we do however process personal data about our employees, as well as limited personal data about our customers and business contacts.

Processingmeans any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Automatedmeans that the processing of personal data is performed wholly or partly electronically. Most of our data processing is automated.

Filing systemmeans any structured set of personal data, such as personal files stored in hard copy.

2. Governing part

2.1           Privacy organisation

The legal responsibility for our data protection lies with Arctic as company.

The board of Arctic shall ensure that this Policy is appropriate.

The [CFO] of Arctic shall ensure that this Policy is implemented in the business and that the employees is familiar with the content of it.

Arctic does not have a data protection officer (DPO). We are not required to appointed a data protection officer, as we are not a public body, does not have as our core activities to regularly and systematically monitoring data subjects of a large scale, or does not have as our core activities to process special categories of personal data or data relating to criminal convictions or offences on a large scale.

2.2           Data protection principles

We will ensure that we process personal data in accordance with the data protection principles listed below. We will integrate these principles both at the time of determination of the means to be used to process personal data and at the time of the processing itself (data protection by design).

PrincipleDefinitionHow we comply
Data minimisationPersonal data must be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed.1. We will not collect personal data that we do not need. 2. We will limit the use of personal data in documents that we produce.
Data accuracyPersonal data will be accurate, complete and up-to-date.1. We will verify collected data if we have reason to believe that they are inaccurate. 2. We will correct stored data if we have reasons to believe that they are outdated.
Data deletionPersonal data may be retained for no longer than is necessary for the purposes for which they are processed.1. We will establish data retention periods. 2. We will delete or anonymise data when the retention period expires.
Data securityPersonal data will be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.1. We will use appropriate technical or organisational data security measures. 2. We will use state-of-the-art systems and ensure that our service providers have an appropriate level of data security.
AccountabilityEach controlling entity is responsible for its compliance with data privacy laws.1. We will document our data privacy guidelines and procedures. 2. We will monitor compliance with such guidelines and procedures.

2.3           Lawfulness

We may only process personal data to the extent we have a legal basis for the processing. The legal bases we rely on are documented in our Record of processing activities (data protocol) (see section 3.8). Below is a general overview of our approach to the legal bases.

For non-sensitive data, we may generally rely on any of following legal bases:

  • Agreement. The data processing is necessary to fulfil an agreement with the data subject. Example: An employment contract or a subscription agreement with a customer.
  • Law. The data processing is necessary to comply with a legal obligation. Example: Collection of data for anti-money laundering purposes and storage of data for bookkeeping purposes.
  • Legitimate interest. The data processing is necessary in order to achieve a legitimate interest which overrides the data subject’s privacy interest. Example: Use of data for certain reporting or analysis purposes.
  • Consent. The data subject has given its freely given, specific, informed and documented consent to the processing. Example: For marketing purposes (see section 3.2 below). We will generally not collect consents from our employees, as the imbalance between them and we as employer generally challenge the voluntariness.

For sensitive data, we will show particular caution. Sensitive data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation). We may only process sensitive data if required for specific activities, and may typically rely on the following legal bases:

  • Employment. The data processing is necessary for the purposes of carrying out obligations and exercising specific rights in the field of employment. Example: The processing of employees’ health data to comply with our obligations as employer.

For social security numbers, we will limit the collection and processing to situations where we have an objective need for certain identification and the method is necessary to achieve such identification. Example: The processing of our employees’ social security numbers in order to comply with our obligations to report income to the tax authorities.

2.4           Purpose limitation

We may only process personal data for specified, explicit and legitimate purposes. The purposes for which we process personal data are documented in our Record of processing activities (see section 3.8).

We shall ensure that personal data are not further processed in a manner that is incompatible with the purpose for which they were collected. Subject to a case-by-case assessment, the following purposes will typically not be incompatible with the original purpose: communication, audits and investigations, dispute resolution, business development.

3. Operative part

3.1           Data retention and deletion (GDPR art. 5)

We may only keep personal data for as long as required for the purpose for which they were collected.

Our applicable data retention periods will be reflected in our Record of processing activities (data protocol).

We may use the following means of deletion: Automatic deletion, manual deletion, or anonymisation. If we select manual deletion, we will make sure that it is, as a minimum, is performed annually.

We will ensure that any processor storing data on our behalf adheres to the data retention periods we have established, and that we may require each processor to return to us or delete personal data after the term of the contract.

3.2           Marketing and profiling (GDPR arts. 6 and 21)

Our marketing communication, including sending newsletters and event invitations, must comply with the GDPR and relevant marketing legislation.

We will not send marketing communication by email unless:

  • We have the recipient’s consent, or
  • We have an existing customer relationship (which gives us the possibility to rely on legitimate interest rather than consent).

We currently do not perform profiling (evaluation of personal aspects of individuals to analyse or predict interests etc.) for marketing purposes. If we intend to do so, we will first consider whether applicable law requires us to collect consents or to allow the data subject to opt-out.

3.3           Cookies (Ecom Act art. 2-7b)

We use cookies on our website. To comply with applicable law, we will publish a cookie policy, and we will allow visitors of our site to opt-out (by respecting their browser settings).

We currently use cookies for marketing purposes. We have a cookie banner in place which allow for the collection of visitors consent to these cookies. We will not place marketing cookies without prior consent.

3.4           Transparency (GDPR arts. 12 – 14)

Our processing of personal data must be transparent. We will in a clear and plain language explain to the data subjects whose personal data we process, who we are, why we process their data and how the processing is carried out.

We shall make available a Privacy Notice (external) on our website to be transparent to our business contacts and the users of our website. Another Privacy Notice (internal) will be made available to our employees.

3.5           Data subject rights (GDPR art. 12 and arts. 15 – 23)

We shall respect the privacy rights of data subjects. Any request shall be handled without undue delay, and at latest within 1 month after the request was received (which may be extended with 2 additional months where necessary).

Requests will be refused if we have reasonable doubts concerning the identity of the data subject, and the data subject does not (upon request) provide additional information that adequately confirms his/her identity. The request may also be refused if we can demonstrate that it is manifestly unfounded or excessive.

Below is our guidance for handling various rights requests that we may receive.

Privacy rightWhen does it applyWhat exceptions are there
Right to accessUpon request from the data subject to receive a copy of its data.When required to prevent, investigate, expose or prosecute criminal acts.   When the data is solely found in texts drawn up for internal preparatory purposes and which have not been disclosed to any third party.   When the data is subject to statutory confidentiality.   When contrary to fundamental private or public rights, including contrary to the interest of the data subject him/herself (which may exclude the disclosure of personal data about others).
Right to correctionUpon request from the data subject to have its data corrected.When data is not inaccurate.
Right to erasureUpon request from the data subject to be forgotten, when: – the data is no longer necessary for the purposes for which it has been collected and used, – consent has been withdrawn (the deletion is limited to the data that was processed based on the consent),  – the basis for processing is a legitimate interest and the data subject opposes the processing on the basis of his/her particular circumstances, or – the data is processed in an unlawful manner.When further retention is required for the purposes for which the data was collected. This means that requests for erasure should generally be refused if our relevant retention periods are not expired.
Right to restrictionUpon request from the data subject to have its data “freezed”, when: – the data subject questions the accuracy of the data, and for as long as we need to verify and confirm the accuracy,   – the data is processed in an unlawful manner and the data subject opposes deletion, or – the data is no longer necessary for the purposes for which it has been collected and used, but the data subject wishes to use it to establish, enforce or defend a legal claim.In situations other than those mentioned in the left column.
Right to data portabilityUpon request from the data subject to have its data transferred in a machine-readable format, when: – the processing is based on consent or contract, and the processing is carried out by automated means, and – only for data provided by the data subject or generated by the data subject’s use of a serviceIn situations other than those mentioned in the left column. All data prepared by us. All data collected from other sources than the data subject. 
Right to objectUpon request from the data subject to have the continued processing of its data ceased, when: – the basis for processing is a legitimate interest and the person opposes the processing on the basis of his/her particular circumstances, or – the data subject objects to direct marketing (then, the objection shall only cover the processing performed for direct marketing purposes).  When there is no circumstances particular to the data subject that give grounds for the objection. When the processing is necessary to fulfil an agreement with the data subject. When the processing is necessary to fulfil a legal obligation that we are subject to. When the processing is based on the data subject’s consent (except where the consent concerns direct marketing). When the processing is based on a legitimate interest and we have compelling legitimate grounds to continue the processing.
Right to not be subject to automated decisionsUpon request from the data subject, when – the decision is made without human intervention, and – the automated decision creates a legal effect (such as a decision not to conclude a contract) or similar effect (such as to reject a job applicant).When fully automated decisions is necessary to entering into or perform a contract with the data subject. When the data subject has agreed to be subject to a fully automated decision.

3.6           Data protection by design and by default (GDPR art. 25)

Data protection by design. At the time of the determination of the means for processing and at the time of the processing itself, we will implement appropriate technical and organisational measures designed to implement the data protection principles (see section 2.2). If we ask service providers to perform system development or customization of tools, we shall require them to take due privacy considerations.

Data protection by default. We shall only use personal data which are necessary for each specific purpose. This means that we shall not collect excessive amounts of personal data, that we shall not process personal data for incompatible purposes, that we shall not store data any longer than required, and that we shall limit access to the data on a need-to-know basis.

3.7           Data processing agreement (GDPR art. 28)

Prior to engaging a processor (a service provider processing personal data on our behalf), we will verify that the processor provides sufficient guarantees to meet the requirements of applicable data protection law.

We shall conclude a data processing agreement (DPA) with all our processors. A DPA may form an appendix to another agreement. We may use our own DPA template, or we may use the processor’s template provided that it complies with GDPR art. 28(3).

When engaging important service providers, including service providers that are critical to the business, that process significant amounts of personal data, that process sensitive personal data on our behalf, or that uses cloud computing platforms, we will perform a risk assessment of the data security concerning the engagement of the service provider.

We will not transfer personal data to, or allow access of personal data from, a country outside the EEA, unless: it is a country approved by the EU Commission (see list here), we have concluded EU Model Clauses with the receiving entity, and implemented the necessary supplemental measures to secure the personal data.

3.8           Record of processing activities (data protocol) (GDPR art. 30)

We will maintain a Record of processing activityfor each of our data processing activities. The records shall be revised annually, and shall be updated when necessary.

The Record must, as a minimum, set out:

  1. The controlling entity
  2. The purpose of the processing
  3. A description of the data subjects and the data categories
  4. The categories of any recipients to whom the data have been or will be disclosed
  5. Whether data is transferred outside of the EU/EEA
  6. The data retention period

3.9           Data security (GDPR art. 32)

We will ensure the data security of our processing systems, by the following measures:

Security criteriaDefinitionHow we comply
ConfidentialityProtection against unauthorised access or disclosure of data.1. Our employees and business partners will be subject to adequate confidentiality obligations. 2. Our databases will be encrypted and subject to adequate access-control. 3. Our agreements with IT-vendors will include data security obligations. 4. Our physical facilities will be adequately protected against unauthorised access.
IntegrityProtection against unauthorised amendments to or deletion of data.1. Our databases will be encrypted and subject to adequate access-control. 2. Key documents will have version control (revision history).
AccessibilityAccess to data when needed.1. Our agreements with key IT service providers will have adequate SLAs. 2. Our main databases will be remotely accessible (VPN or similar).
ResilienceBusiness continuity is ensured1. Our agreements with key IT service providers will have adequate SLAs. 2. We will have back-up of our data.

We will document our data security measures, such as by means of risk assessments. The documentation shall be maintained, such as to update it if the nature of our business changes or if we make material changes to our IT systems or facilities.

3.10        Personal data breaches (GDPR arts. 33 and 34)

We may potentially experience a personal data breach – a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Examples are hacking, communication of personal data to wrong recipients, or lack of access control. This applies also if the breach occurs at one of our service providers, as long it relates to our data.

We will handle the breach as follows:

Documentation: All security breach must be documented. The documentation shall include a brief description of the circumstances of the breach and, if relevant, the consequences of the breach and the measures taken to mitigate it.

Notification. Depending on the privacy risk caused by the breach, as listed below, it may be necessary to notify the relevant data protection authority (DPA) and/or the affected individuals. Privacy risk may for instance be risk of discrimination, identity theft, fraud, financial loss, damage to reputation, loss of confidentiality, or social disadvantage. Examples may be where passwords, social security number, credit card data, or health data are compromised.

  • Low risk: If it is unlikely that the breach involves a privacy risk to the affected data subjects, no notification is required, but the breach must be documented internally.
  • Medium risk. If it is not unlikely that the breach involves a privacy risk to the affected data subjects, the relevant DPA must be notified within 72 hours. The notification is to be made through a template Altinn form.
  • High risk. If it is likely that the breach involves high privacy risk for the affected data subjects, individuals, the affected data subjects shall be notified as soon as possible. However, notification to the data subjects is not required if appropriate security measures are implemented (such as encryption of the compromised data), subsequent measures are taken to ensure that high privacy risk is no longer likely to materialise, or notification would involve disproportionate effort (in the latter situation, a public communication, such as on the website, shall be made).

3.11        Data protection impact assessment (GDPR art. 35)

Where a processing operation, such as the use of new technology, is likely to result in a high privacy risk, taking into account the nature, scope, context and purpose, we will perform a data protection impact assessment (DPIA). Due to the nature of our operation, we will generally not be required to perform DPIAs; however, we will make an assessment of whether it is required when we intend to implement new technology.

A potential DPIA must at least contain (i) a systematic description of the envisaged processing operation, (ii) an assessment of necessity and proportionality, (iii) an assessment of privacy risks, and (iv) measures to address the risks. Any performed DPIAs will be documented.

4. Controlling part

4.1           Audit

We shall review our Record of processing activitiesat least annually.

The [CFO] shall perform ad-hoc or periodic audits to monitor compliance with this Policy. The audits may for instance consist of discussions/interviews with relevant employees or control of data, systems or processes.

The [CFO] shall annually submit a GDPR compliance report to the board. He/she shall also report to the board on matters that materially infringes this Policy.

Only anyone with the power to sign on behalf of the relevant company shall be entitled to notify to or communicate with the Data Protection Authority.

4.2           Documentation

This version of the Policy, and any privacy documentation referred to herein, shall be stored for at least 5 years.

4.3           Policy revision

2021-04-09Version 1Danielle Glenn