NO
Bakgrunnsbilde

Data protection

Advice on compliance, quality assurance of documentation, procedures, privacy statements, data processing agreements, assistance with supervision.
Text module

All businesses process personal data and must comply with strict requirements in the General Data Protection Regulation (GDPR), the Norwegian Personal Data Act, and several regulations. In addition, processing may be regulated by various sectoral laws, for example in the health sector. The types/categories of personal data processed by the business and the scope of processing vary. This has an impact on the extent of technical and organizational measures required by the business, but there are still requirements for documented assessments, data processing agreements, and information to data subjects. We also see that the use of AI often involves the processing of personal data, without the business paying sufficient attention to this.

When the GDPR (General Data Protection Regulation) came into force in the summer of 2018, "all" Norwegian companies became concerned with privacy – presumably largely due to the risk of high fines for non-compliance. We have been assisting companies with privacy compliance for a long time before that, and have extensive experience and are well acquainted with various privacy assessments.

We want to help small and large businesses comply with privacy regulations in a sensible manner and achieve good compliance. This applies both to businesses that view personal data as a key asset and process personal data on a large scale for various purposes, and to businesses that only handle personal data as a strictly necessary part of their operations, such as paying employees' salaries and ensuring that customers receive the goods and services they have ordered. Part of good compliance is ensuring that consent is obtained correctly when using cookies and similar technologies – cookie banners.

Privacy regulations are difficult to access because many of the rules are based on EU legislation and because there are ongoing developments in case law and practices from European and national supervisory authorities (EDPB, Datatilsynet, and Nkom). We place great emphasis on keeping up to date with the regulations, while also monitoring technological developments in order to meet our clients' needs. This has meant, among other things, that we now spend a lot of time on the privacy issues associated with the use of AI, so that we can support businesses in developing their AI strategy by identifying risks and measures, as well as ensuring best practice through the introduction of guidelines, training, and documentation.

 

We assist with:

  • Mapping of companies' processing of personal data
  • Preparation and quality assurance of privacy documentation
  • Analysis of companies' needs for changes and design of routines and declarations, etc.
  • Assessment of legal basis/processing basis for ordinary personal data and special categories (sensitive) personal data
  • Documentation of legitimate interests with balancing of interests
  • Design of consent text
  • Preparation of privacy statements for customers, employees, etc.
  • Preparation of cookie policy and handling of cookie banners
  • Deviation handling with possible notification to the Data Protection Authority and the data subject Establishment of procedures for access, corrections, deletion, and restriction of the processing of personal data
  • Deletion procedures
  • Privacy assessments for various types of processing, for example before purchasing a new IT solution or using an existing solution for a new purpose
  • Privacy assessments, drafting of guidelines, training, and documentation when using AI
  • Risk assessments
  • Data protection impact assessments (DPIA)
  • Privacy procedures for marketing
  • Privacy procedures for HR/employees
  • Control measures for employees
  • Use of images
  • Camera surveillance
  • Procedures for maintenance and auditing
  • Privacy manual (internal control)
  • Data processing agreements
  • Agreements between joint controllers
  • Confidentiality agreements (NDA)
  • International transfers of personal data to third countries, with assessments of the basis for transfer, such as Standard Contractual Clauses (SCC) with Transfer Impact Assessment (TIA), Binding Corporate Rules (BCR), adequacy decisions, or certification mechanisms such as the EU-US Data Privacy Framework (DPF) that apply to transfers to the US
  • Implementation of privacy in technological solutions - Privacy by design/default
  • Supervision by the Data Protection Authority
  • Annual control/audit of privacy
  • Courses and training

Møt teamet:

Bilde av Stillum, Grete Funderud

Grete Funderud Stillum.

Lawyer MNA | Partner