INPEX Idemitsu Norge AS, a company organised and incorporated under the laws of Norway, with organisation number 953 133 210, having its registered office at Lysaker Torg 25, 1366 Lysaker, Norway (“IIN”) is a privately-owned company, and does not typically engage in business that requires extensive collection and storage of Personal data.
In the limited circumstances explained below where Personal data is processed, IIN will be the data controller for all such processing and undertakes to process such Personal data only for appropriate purposes and in accordance with the form time to time applicable policies and laws, including Personopplysningsloven (Norwegian Personal Data Act).
- Personal data (or personal information) means any information about an individual from which that person can be identified directly or indirectly. This e.g. includes name, address, contact details and similar information. This also includes Technical data and Usage Date to the extent an individual may directly or indirectly be identified.
- Technical data means internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on or information about the devices you use to access our website.
- Usage data means information about user behaviour on our own communication-channels, such as our website and newsletters, e.g. information about how long you stay on our website or whether you have opened our newsletter.
Personal data we process and ways of collecting such data
The Personal data we process depends on the context of your interactions with IIN. However, the Personal data we process broadly falls into the following categories:
- Contact information. Such as name, title, address, telephone number, email address, date of birth, etc.;
- Business related information. Such as information about our customers’ employees, e.g. in relation to our procurement of goods and services, invoicing information, etc.;
- Recruitment information. Such as application, CV, references, interviews and assessments, immigration and relocation information;
- Communication-related information and preferences. Such as preferences related to marketing and events (including allergies/diets restrictions when provided by participants);
- Technical data;
- Usage data; and
- Security related information. Such as video surveillance of our premises.
Such Personal data may be collected:
- directly by you, e.g. by filling in one of our online forms or by corresponding with us by post, phone, e-mail or otherwise;
- directly by IIN staff when establishing a business relationship or through operational dealings;
- from a third-party service provider or agent, from a source of publicly available information (e.g. websites) or from an employer (e.g. where a supplier or contractor provides Personal data about their employees);
Legal basis for processing
We will only process your Personal data if we have a legal basis for processing, which may be one of the following:
- Consent. Where you have consented to the processing. Please note that you have the right to withdraw your consent at any time, but that the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal;
- Performance of contract. Where processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;
- Legitimate interests. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. This may be, for example, where you provide Personal data to us for a job application and we evaluate that information in order to consider the application, or other situations where such processing is necessary for us to manage our operations, provide services or other legitimate business interests.
- Legal obligation. Where we need to comply with a legal obligation, such as storing information about customers for accounting purposes.
When and for what purposes we process your Personal data
We may process your Personal data in the following cases:
- Communication, including feedback. If you take contact with us either by e-mail, through filling out one of our online forms on our website or by use of other communication, e.g. in the form of an inquiry or complaint, we may process your Personal data to handle such inquiry or complaint, and the inquiry may be stored for internal training purposes. We may also process Personal data in other communication with you.
- Procurement and other business relation purposes. If you are one of our customers or an employee of our customers, we may process your Personal data e.g. in our correspondence with you or to handle the business relationship, such as that we may process Personal data to be able to provide you with goods and services or send you invoices.
- Subscription. If you subscribe to our newsletters, we may process your Personal data, such as e-mail address and name, to send you such newsletter.
- Events. If you have registered to or attend one of our events, we may process your Personal data e.g. to register the participants.
- Recruitment. If you have applied for a job with us, we may process your Personal data to handle your application, and store the information to be able to contact you at a later point if you consent to it.
- Security. IIN has implemented various security measures that requires processing of Personal data. This is to safeguard against illegal or unauthorized access to areas, buildings, rooms, systems or equipment, and we may e.g. process Personal data through camera monitoring of our premises.
Change of purpose
We will only use your Personal data for the purpose for which we collected it, unless we reasonably consider that we need to use it for another reason, for example, where this is required by law. If we seek to use Personal data in a materially different way than we had previously, we will provide prior notice to you for example by e-mail.
Sharing your Personal data
We do not share Personal data with third parties except in the limited circumstances outlined below:
- Affiliates. Your Personal data may occasionally be processed by other companies in the Idemitsu group. Idemitsu group companies follow the same rules when involved in processing your Personal data. These rules are called “binding corporate rules” and apply if your Personal data is transferred to any group company. You can find our binding corporate rules at [LINK].
- Public institution(s). Any competent law enforcement body, regulatory body, government agency, court or other third party where we believe disclosure is necessary (a) as a matter of applicable law or regulation, (b) to exercise, establish, or defend our legal rights, or (c) to protect your vital interests or those of any other person.
Regardless of the above, IIN will never share, trade or sell your Personal data to a third party for marketing purposes.
We may also share anonymized, aggregated information with selected third parties for statistical purposes.
Idemitsu group companies follow the same rules when involved in processing your personal data. These rules are called “binding corporate rules” and apply if your personal data is transferred to any group company.
Additionally, some processing of your personal data may involve services outside of Norway. In this case, your personal data will be protected by appropriate transfer safeguards which guarantee an adequate level of data protection wherever your data is physically sent.
Some processing of your Personal data may involve services outside of Norway and the EU/EEA. Whenever we transfer your information, we take steps, including preventive measures, designed to protect your Personal data.
For all international transfers, your Personal data will be protected by appropriate transfer safeguards which guarantee an adequate level of data protection wherever your data is physically sent. All international transfers within the Idemitsu group will be protected on the basis of our binding corporate rules, cf. above. All other international transfers will also be protected by appropriate transfer safeguards, such as the EU Commission approved standard contractual clauses (“SCCs”).
We have put in place appropriate technical and organisational controls to prevent your Personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal data to those within IIN and its affiliates who have a business need to know and are subject to confidentiality obligations, or data processors who are obliged to comply with similar obligations.
We will only retain your Personal data for as long as necessary to fulfil the purposes we collected it for. We retain Personal data where we have an ongoing legitimate business need or legal obligation to do so. Our retention periods will vary depending on the type of data involved, but, generally, we refer to these criteria in order to determine retention period:
- Whether we have a legal or contractual need to retain the data. This may e.g. be if we are obliged to retain customer information to comply with accounting legislation;
- Whether the data is necessary to provide our services. For instance, if you are one of our customers or an employee of a customer, we will, generally, store Personal data for as long as the business relationship lasts, and store project information, archives, documents, e-mails, contact information and similar information for after the business relationship has ended;
- If you have sent an e-mail to our e-mail account provided below or the contact form on our website, the correspondence will be automatically deleted after six months, unless we based on a concrete assessment consider to have a legitimate interest in storing it longer, e.g. due to ongoing correspondence with you.
When we have no ongoing legitimate business need or a legal obligation to process your Personal data, it will be deleted or anonymized as soon as possible and in accordance with applicable law.
Your legal rights
You have certain rights under data protection laws in relation to Personal data we hold about you. You can ask us to:
- confirm whether we process your Personal data;
- give you access to and a copy of your Personal data;
- change incorrect or incomplete Personal data;
- delete or stop processing your Personal data;
- suspend or limit the processing of your Personal data; and
- disclose your Personal data to you or others in a structured, commonly used and machine-readable format (data portability).
You can also:
- object to the processing of your Personal data; and
- withdraw consent where the basis of processing was consent.
- Please note that exceptions and limitations from the above rights may apply. For example, we may not delete your Personal data if we are legally obliged to store the information.
Please see below for contact details for exercising these rights.
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies.
Privacy of Children
Our website is not intended for anyone under the age of 18 and we do not knowingly collect or process Personal data relating to children.
Contact details and complaints
You can also complain to the Norwegian Data Protection Authority, which is responsible for controlling the privacy regulations in Norway. You can also complain to the relevant data protection authority in any EU/EEA member state where you live or work, or where you believe that a violation has taken place.