This Privacy Statement describes how FourPhase process personal data. This includes collection, processing, storage and sharing of information both verbally, on paper and digitally. Use of ICT (Information and communication technology) tools and data protection is also described.
FourPhase process information including personal data to support our tasks and services for explicitly stated and legitimate purposes in accordance with applicable legislation.
- Employee administration
- Sales, marketing, and operations
- Invoicing– Safety
Four Phase maintains a data processing log, doc no. 108913, which describes all processing of personal data done by the company e.g. reason for processing, data controller, system/storage, access, erasure, etc.
FourPhase AS is the data controller. Responsibility and government for processing activities and information security shall follow the line management responsibility in FourPhase.
Personal data which the company holds is only registered, processed and edited by employees or external resources authorized to do so. Personal data will not be used or modified unintentionally.
Personal data is only shared with third parties where this is informed to the data subject, e.g. travel booking, planning of offshore trips, payroll or other statutory disclosures.
Processing, storage and deletion of personal data
FourPhase processes personal data in accordance with relevant legislation and is performed either with the consent of the data subject, because it is required by law, to fulfill an agreement with the data subject or to fulfill a legal obligation.
For recruitment purposes, FourPhase processes personal data to ensure that the company recruits qualified candidates. The legal basis is related to the necessary processing of personal data to perform a contract or take the necessary steps before entering into a contract. The data subject will receive more detailed information about the processing of personal data during the recruitment process.
FourPhase HR Manager is responsible for the processing of personal data comprising own employees to manage salary, personnel responsibility, competence development, leadership development etc. Examples of personal data that can be processed are salary, time registration, tax rate, tax authority, appraisal interviews, union membership, etc.
Other personal data processed by the company are related to employees work instructions and organization of employee’s work. Examples of information being processed are name, personal identification number, expertise, certificates, etc.
Employees use telephone and email in daily dialogue with internal and external contacts. All employees are responsible for archiving relevant e-mail and notes, this may be in their own email account, in common e-mail accounts or in the CRM system. Contacts, email messages and notes that are no longer relevant shall be deleted on a regular basis.
Upon resignation, the employee shall store files that could be important to the company and forward relevant emails to colleagues. Thereafter file areas and email accounts linked to the employee are deleted.
The company registers information regarding office and workshop access control, as well as information about access to the ICT (information and communications technology) systems. There are no regular processing activities based on this information, however, if the company experiences breaches of the procedures, unauthorized access, theft, burglary, etc. company can provide access to the registrations.
Employee name, position and work area is public information and can be published on the company’s website.
Deletion routines for personal data follow the Personal Data Act, Accounting Act and the Archive Act. Storage time and deletion time for data processed are specified in the company data processing log.
Data processors and data processor agreements
External data processors or third-party data processors may process personal data on behalf of FourPhase. A complete list of data processors and data processing agreements can be found in doc. “109022 Data processors & systems processing personal data”.
Data processor agreements between FourPhase and suppliers regulate which information the data processors have access to and how data shall be processed.
Transfer of personal data to others
FourPhase does not disclose personal data beyond what is defined by the data processing agreements unless we are required to do so by the authorities, such as the police, NAV or the Norwegian tax administration.
If personal data is transferred to external processors located outside the EU/EEA, for example, when FourPhase employees are to perform a work operation outside the EU/EEA, this is done in accordance with the employment contract with the data subject, EU-US Privacy Shield Agreement or EU Standard Contractual Clauses.
Right of access
Anyone registered in one of FourPhase’s systems has the right to access their own information.
Right of rectification
The data subject has the right to request that incorrect, incomplete or information the company has no right to process is corrected, deleted or supplemented. Consent given for processing of personal data may be altered or withdrawn at any time.
Right to object
The data subject has the right to reserve themselves against the processing of personal data for use in direct marketing and profiling.
Right to erasure
Data subjects have the right to have their personal data erased if the information is processed based on consent and the consent is withdrawn.
The company deletes personal data when they are no longer relevant to fulfill the purpose for which they were obtained. This means that company process personal data as long as the data subject has an agreement with us. When the agreement is terminated, personal data will be deleted according to the specified storage and erasure time.
Requests from data subjects shall be answered free of charge and within 30 days.
Internal control and safety work
Information security work shall be in accordance with internal routines and in comply with applicable laws, rules and agreements.
Risk-reducing measures are based on risk assessments, relevance and cost-benefit assessments.
Incidents or changes that may affect information security shall be followed-up systematically and be registered in “ASK”, the company’s system for registration and follow-up of NCR’s, HSE incidents, observations and improvement suggestions.
Managers at all levels shall systematically control, monitor and follow-up information security work in their department.
Information security work shall be evaluated systematically according to the company’s internal procedures.
All employees shall be familiarized with processing routines in their own work, which personal data they process, data processing requirements and use of ICT.
All employees must comply with the rules, regulations, guidelines, requirements and procedures that apply to them and the work they perform.