This Privacy Notice applies to Crayon Group. In the following referred to as “We” or “Crayon”.
We are registered in Norway under registration number 981125592, and the registered office is located at Sandakerveien 114a, 0484 Oslo, Norway.
Crayon Group views the protection of Personal Data and Data Privacy as more than a legal obligation; we consider personal privacy a fundamental right that we as a company have the responsibility to protect. Crayon is committed to safeguarding all Personal Data that we may process about customers, suppliers, or our employees to the best of our ability.
We abide by all applicable national or international data privacy laws and we fully cooperate with and support any activities that aim to verify our compliance in the form of investigations and audits. We report data breaches as quickly as possible and take a result-oriented approach to effectively and efficiently resolve any issues resulting from an unintentional or unforeseen data breach.
This Privacy Notice describes the framework for honoring these privacy commitments. We strive to be transparent and provide accessible information, so if you have any questions related to this Privacy Notice, please contact our Data Protection Officer on the contact information listed above.
We apply the following seven principles when collecting and/or processing personal data:
Personal Data: means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Art.4(1) EU GDPR
1. Personal Data will be processed lawfully and fairly
2. Personal Data will be kept, used, or disclosed for specific and lawful purposes
3. Personal Data will be adequate and relevant, not excessive
4. Personal Data will be retained for no longer than is necessary for the purposes for which they were obtained
5. Personal Data will be accurate, complete, and up-to-date.
6. Personal Data will be provided in transcript copy to individuals upon request, in line with our commitment to the law
7. Personal Data will be kept secure using technical and organizational measures, grounded in privacy by design.
This policy applies where Crayon is acting as a Data Controller with respect to the Personal Data of Customers or Partners enrolled in the Crayon pulse rewards Programme.
In the interest of providing the services listed in Section 4.1 (Scope) we may process the following personal data:
For the purposes of:
We collect this personal data using various methods including:
We may combine information that we collect about you through this website with information that you provide to us by other means.
As most of the personal data we process is limited by what you may provide to us, we strongly discourage providing personal data that is not relevant to the service.
Under no circumstances do we collect special categories of personal data as defined in Article 9 and 10 of the GDPR.
We may process any information that you send to us in relation to an enquiry or request for services.
Taking into consideration that:
We consider Legitimate Interest the most appropriate lawful basis. To ensure that we can document and justify this decision, we have conducted a Legitimate Interest Assessment, which can be issued upon request. To request an LIA, please contact our DPO on the Contact Details listed here.
Crayon Group operates in over 20 countries within and outside the European Union (EU) and European Economic Area (EEA). As a result, your personal data may be subject to international transfers.
Despite the limitations of the geographical scope of the General Data Protection Regulation (GDPR), we apply the same standards and principles governing data protection to every employee, contractor, consultant and agency staff employee working for any of our subsidiaries worldwide.
To ensure a consistent high level of protection, we have put in place our corporate binding rules. To request a copy of our corporate binding rules, please contact our DPO on the Contact Details listed here.
The confidentiality and integrity of data stored on our IT systems are protected by controls to ensure only authorized employees have access to those capabilities required for their duties. All employees have signed a confidentiality agreement.
We may distribute your Personal Data to any member of Crayon Group, i.e. any of our subsidiaries, if it is necessary and reasonable for the purposes set out in this Privacy Notice. We have Binding Corporate Rules in place to ensure all the same consistent level of protection. To request a copy of our corporate binding rules, please contact our DPO on the Contact Details listed here.
We do not disclose your personal data to any third parties, public or private without your prior consent, unless we are obligated to by EU or national law, or it is necessary to protect the vital interests of you or any other natural person that we process personal data concerning.
Crayon protects your Personal Data and has internal Information Security rules, process and controls in place to protect your Personal Data. Our Information Security is based on a thorough evaluation of the risks involved taking into consideration the categories of Personal Data and the types of Data Processing in question.
We have put in place technical and organizational security measures to ensure that protect your Personal Data against unauthorized or unlawful processing and against accidental loss, destruction or damage.
Additionally, we ensure that only authorized persons gain access to your Personal Data. To prevent data loss, we continuously back up all data.
In the event of a data breach, we will notify the relevant supervisory authorities. If the data breach entails any risk for you, we will notify you immediately.
Your personal data is stored only for as long as it is necessary for to fulfil the purpose for which the personal data was obtained.
As a rule we will retain your Personal Data for the period that you are registered with the Crayon Pulse Programme. Thereafter your Personal Data will be retained for 6 months to enable an orderly close of the programme. Your transactional data will not be stored for a period of more than 2 years. Thereafter your personal data will be irretrievably delete.
In cases where it is not possible for us to specify in advance the specific data retention periods, we will determine the period of retention based on an individual evaluation of the necessity and relevance for the purposes specified in Section 4.1
If you wish to have your personal data erased, please refer to section 7.1 below on your right to erasure.
Legal obligations: Notwithstanding the other provisions of this Section 6, we may retain your personal data where such it is necessary for compliance with a legal obligation, or in order to protect your vital interests or the vital interests of another natural person.
In the interest of full disclosure and transparency we have summarized your rights under GDPR Chapter 3 in this section. However, some these rights are complex, and you are therefore encouraged to read the relevant laws and/or guidance from your local supervisory authority.
The Right of Access
You have the right to know whether we process your personal data. If we do, you have also the right to access this personal data, providing the rights and freedoms of others are not affected.
We will provide a transcript of your data. The first copy will be provided free of charge, but additional copies may be subject to a fee of 10 euros per copy to cover administrative costs.
Should any of your personal data prove to be inaccurate or incomplete, you have the right to have this corrected/rectified.
The right to erasure is also known as the “right to be forgotten”. If any of the conditions in Article 17 apply, you have the right to have your personal data deleted from our records.
Please be aware that there can be certain exceptions to the right to erasure, such as exercising the right of freedom of expression and information, for compliance with a legal obligation, or for the establishment, exercise or defense of legal claims.
In some circumstances you have the right to restrict the processing of your personal data, for example if:
This list is not exhaustive, and we would like to refer you to Article 18 of the GDPR for the full list.
As a general rule, you have a right to be notified of:
You have the right to receive your personal data m us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
The Right to object
You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for:
If you object to us processing your personal data we will cease to process the data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defense of legal claims.
You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal data for this purpose.
You may exercise any of these rights by submitting a “Subject Access Request”(SAR). This can be done by forwarding a request in writing to our Data Protection Officer with a clear description of the information you seek. We will respond to your request within 10 working days.
We take a service-oriented approach to facilitating your rights. However, should you experience that we have sufficiently answered your request, or that our processing of your personal data infringes data protection laws, please do not hesitate to submit a complaint to our DPO.
Submitting a complaint to our DPO does not prevent you from submitting a complaint to the relevant supervisory authority in parallel. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.