Last updated: Mar 1, 2022

PRIVACY NOTICE

Circa Group

1. OVERVIEW

This Privacy Notice (“Privacy Notice”) is prepared by Circa Group AS and our affiliates (“Circa”, “we”, “our” or “us”) to ensure that you receive the information we are required to provide to you, and which is necessary for you to exercise your rights under the General Data Protection Regulation (the “GDPR”) and applicable data protection legislation.

This Privacy Notice describes how we process personal data about you, the purpose of our processing activities, and the legal basis for our processing activities. Furthermore, this Privacy Notice provides you with information about your rights under applicable data protection legislation and other relevant information relating to our processing of your personal data.

2. CONTACT INFORMATION

The data controller for the processing of your personal data is Circa. If you have any questions about this privacy notice, including how we process personal data, or would like to submit a request to exercise your rights, please contact us at:

Circa Group AS

c/o Norske Skog ASA, Sjølyst plass 2, 0278 Oslo [email protected]

3. GENERALLY ABOUT PERSONAL DATA

Personal data means any information relating to an identified or identifiable natural person (a “data subject”). Your name, phone number, address and e-mail address are examples of information that generally is regarded as personal data. Depending on the circumstances, IP-addresses and similar identifiers may also constitute personal data.

4. OUR PROCESSING OF PERSONAL DATA

The list below stipulates the categories of personal data that we process and the purposes these personal data are processed for:

  • Contact information such as name, address, email address, place of work and phone number. We process these personal data for the purpose of providing our services to you or to your employer, and for the purpose of managing our customer and business relationships. Additionally, we may process this personal data for marketing purposes.
  • IP addresses or similar identifiers, as well as usage data such as account log ins, site navigation, clicks and browsing time. We process these personal data to generate statistics in order to improve the functionality and performance of our services. Further information regarding our processing of this personal data is included in Section 6 below.
  • Depending on the circumstances, we may also process other categories of personal data, and/or the above listed personal data for other purposes. This may for example be the case if you contact us with questions or comments.

Please note that our website may contain links to third-party online websites/apps. Such third parties have their own policies that govern their collection, use, and disclosure of information. We suggest that you read their privacy policies to learn about their practices.

5. OUR LEGAL BASIS FOR PROCESSING PERSONAL DATA

We base our processing of personal data on the legal bases set forth below.

Contact information. We process personal data about the representatives and contacts of our customers and business associates based on our legitimate interest in administering the business relationship we have with these persons, and for the fulfilment of the agreements we have entered into with you and/or your employer.

We furthermore have a legitimate interest in using your contact information to respond to your inquires or to provide you with necessary information.

6. OUR USE OF COOKIES

Cookies are small pieces of text to store information on web browsers. They are widely used to store and receive information to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

While the cookies that we use may change from time to time as we improve and update our services, we use them for the following purposes:

Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.

Functionality cookies. These are used to recognize you when you return to our website. This enables us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region).

Analytical and performance cookies. These allow us to recognize and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.

The legal basis for our use of cookies is our legitimate interest. However, you may disable the cookies we use through the settings in your internet browser. Please note that if cookies are disabled, some or all of our services may become unavailable or not function as intended. To find out more about cookies, please visit www.aboutcookies.org or www.allaboutcookies.org.

7. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES

We may use different types of service providers in connection with the processing of personal data. These service providers will act as processors on our behalf. We have entered into data processing agreements with our processors which inter alia obligates the data processor to implement technical and organizational measures to ensure an appropriate level of security, confidentiality and integrity of the personal data, as well as to only process the relevant personal data in accordance with data protection legislation.

We will not disclose your personal data to any other third parties than the third parties described above, unless you have consented to such disclosure, we are required to do so under applicable law, or if it is necessary to establish, exercise or defend legal claims.

8. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

Some of our processors are based in a country outside the European Economic Area (“EEA”) and the processing may, therefore, involve the transfer, storage, and processing of your personal information outside of your country of residence, consistent with this Privacy Notice. Furthermore, we may share your personal data with other companies within the Circa Group, which are located outside of the EEA.

The country may not be on the list of countries deemed as adequate by the European Commission. However, whenever we transfer personal information to countries outside of the EEA, we take appropriate measures, in compliance with applicable law, to ensure that your personal information remains protected. Such measures include the use of Standard Contractual Clauses to safeguard the transfer of data outside of the EEA.

To request more information or to obtain a copy of the contractual agreements in place, please contact us by using the contact information above.

9. RETENTION AND DELETION

As a general rule, we will delete or anonymize personal data when they are no longer necessary in relation to the purposes for which they were collected or otherwise processed. If we process personal data to comply with our legal obligations, we will delete or anonymize the personal data when it is no longer necessary to process the data to comply with the relevant legal obligations.

10. YOUR RIGHTS

You have the following rights when we process personal data about you:

Access. You may contact us if you want to obtain confirmation with respect to whether or not we are processing your personal data, as well as access to and further information regarding our processing of your personal data. You may also request a copy of the personal data we are processing about you.

Correcting personal data (rectification). You may ask us to rectify any errors in your personal data.

Erasure (the right to be forgotten). You may ask us to erase your personal data, which request we will respect and comply with.

Restriction. You may ask us to restrict the processing of your personal data.

Object. You are entitled to object to certain processing activities. You are furthermore, on grounds relating to your particular situation (for example, a specific need for protection of your identity), entitled to object to processing of personal data based on legitimate interests, which we will comply with, unless there exists compelling legitimate grounds for our processing which override your interest, or if our processing is necessary for the establishment, exercise or defense of legal claims.

Data portability. You may ask us to provide you or others with your personal data in a structured, commonly used and machine-readable format.

Please note that the above rights may be subject to further exceptions and limitations in accordance with the data protection legislation.

You may contact us if you wish to exercise any of the above rights. Please note that we may request additional information from you if such information is necessary to confirm your identity.

11. SECURITY

As a controller, we are responsible for the security and confidentiality of the personal data we process. We are furthermore responsible for implementing appropriate technical and organizational measures to ensure an appropriate level of security for the processing. We’ve implemented such measures to ensure that your personal data is stored in a manner that reasonably protects it from misuse and loss and from unauthorized access, modification or disclosure.

12. QUESTIONS AND COMPLAINTS

If you have additional questions on how we process personal data, or are dissatisfied with our processing, you are welcome to contact us. Please find our contact information above.

You may also lodge a complaint with the relevant supervisory authority. Please click here to access the contact information to the Norwegian Data Protection Authority. The contact details for all EU Supervisory Authorities can be found here, and the contact details of the Australian Information Commissioner can be found here.

Further details on your rights are available in the Data Protection Act and the GDPR, which can be accessed by clicking here.

13. CHANGES

We may update the Privacy Notice from time to time. The Privacy Notice will, for example, be updated to comply with any legislative amendments or if we make changes to our processing of personal data.

The most recently updated version of the privacy notice will always be available at www.circa-group.com.