How Sandviks AS uses your personal data
Whenever you purchase an item, subscribe to one of our products, or use a free service from Sandviks, you give us access to some personal data. The aim of this document is to explain as best we can what data we collect, why we do so, and how we process your data so as to protect your interests and statutory rights.
In connection with the planned launch of the EU’s General Data Protection Regulation (GDPR) on 25 May 2018, we must provide details of how we handle personal data in a way that is “brief, understandable and readily accessible in clear and simple language”.
What personal data do we collect?
We collect the data we need in order to deliver the products or services that you order from us in the best possible way, and to better communicate with you. We also collect relevant statistics to improve our services.
We seek to achieve this through clear communication, by obtaining your consent, and by giving you an easy way to limit our use of your data.
Personal data obtained directly
Whenever you place an order with us, you transfer certain data about yourself, such as your name, contact details and delivery address.
All you purchases are stored so that we can comply with payment procedures and the laws and regulations concerning accounts and our book-keeping documents.
Many of our services are based on information about your family situation: expecting a baby and children’s ages are examples. That is because we seek to offer you products and services that are relevant to your situation.
We also ask for your opinions about our products and services, so as to improve our routines in general and help us answer questions and make better offers to you individually.
We also offer services where you store other personal details to help us form a tailored product. For example, you can store a profile photo. Private data like this is only processed in order to make your experience more personal.
We receive data whenever you use our services
Whenever you visit our webpages you leave information about your IP address, web browser, device, and also the pages and services you visit. This data can potentially link to your identity when combined with other data.
Log data saved
Internet visits are logged and used to
- monitor and improve our services based on statistics
- run fault-finding checks in case of software issues or technical problems
- generate group profiles based on visits, to improve communication with you and minimise irrelevant information
- create personalised communication with you.
Cookies are stored on your device
Cookies help to
- simplify your use of services, such as automatic recognition and log-in
- analyse website traffic and recognise unique visits not obtainable from log data
- Customise marketing processes on the web to increase advertising relevance. Visits using your device may affect the ads you receive from other sources, like advertising networks, Google and Facebook.
We enrich your personal data with third-party and public data
We enrich your data with solutions by third-parties where this can improve, restrict or close off services. Here are some examples:
- receive a change of address from the Postal Service if a package is forwarded to a new address
- update your phone number or address based on data from a directory service
- update your official reservation settings based on births and deaths data from the Brønnøysund Registers
- correct spellings in street names and postal towns.
We do NOT
We do NOT save sensitive payment details about your credit or payment cards in our own system. Such details are stored with authorised Data Processors – in our case currently with Dibs.no.
We do NOT process images using biometric procedures.
Why is this data processed?
Sandviks’ mission statement and business objective, “Enriching young minds”, signals that we dearly hope to have a positive influence on childhood growth and development, by offering sound and relevant products and services to mothers-to-be and young families. This means we process your personal data in order to:
- deliver purchases and services you have ordered
- allow us to improve our products and services by analysing aggregated (non-personal) data
- comply with legal requirements under other legislation, for example keeping sales records under the Accounting Act
- create a personalised experience when you communicate with us, and allow us to suggest relevant products and services from ourselves and our partners.
How is your data processed?
Whenever we collect personal data from you, your consent must be clear and unambiguous, and this Policy Statement must be easily available.Personal data is stored in a well-organised central document system, where access rights and data security comply with the GDPR.
The data are used to:
- ensure as personalised a service as possible, and relevant interaction regarding our products and services
- ensure best possible responses to enquiries
- allow Sandviks’ product developers, analysts and customer relations staff the best possible opportunity to improve products and services
- provide you with the best possible information about other relevant products.
Many of Sandviks’ services are based on automated decisions. This means that algorithms based on your personal data control what products we recommend, or what we consider will most interest you. The aim is a more personalised experience. What we offer is not supposed to discriminate in any way, except that Sandviks may offer established customers better terms and conditions than recent additions.
We allow data processing by third-parties in order to complete certain services. For example, data for a personalised book will be sent to the contractor who produces the book, or to the printer, who sends you a letter on our behalf. In every case, Sandviks is responsible for your personal data, and has secure routines to erase data extracted for temporary purposes.
Whenever data is forwarded to a third-party for their use, this will only happen with your express consent.
Personal data is automatically erased 10 years after your last contact, or when requested by you. The data will then be anonymised so that it can no longer be linked to you as a physical person. The encryption key for the anonymisation process is stored in a separate system that is only accessible in case of legal action.
Certain personal details may be retained after erasure in a special reservation table, the sole purpose of which is to exclude all marketing to the email address or phone number if later supplied by a new source.
Certain personal data cannot be erased before a certain date by law. For example, under the Accounting Act, names and addresses of paying customers must be kept on file for 10 years, although other data may be erased.
Your legal rights
The regulations secure certain rights for you regarding access, correction, erasing, restrictions and data portability. You can access these settings on your Sandviks “My page”.
Your settings page shows most of the personal data we have saved for you. It allows you to delete or correct data, and set the defaults for marketing promotions and other user restrictions for your personal data.
On request we will supply an xml data file with full access. This file is also your portability guarantee, as there is currently no other established standard we can align with.
You can pursue your legal rights regarding access, correction, erasing, restrictions and data portability by sending an email to our Customer Service Desk at firstname.lastname@example.org.
If we wish to use your personal data for purposes other than as described in this Policy Statement, Sandviks will send you details beforehand, and request your consent whenever relevant.
The GDPR imposes many obligations on Sandviks over and beyond those covered by this document. The full text of the GDPR is found at the Norwegian Data Protection Authority website, datatilsynet.no.
We hope we can answer as many of your queries as possible via our Customer Service Desk at email@example.com. If any serious data breach or inconsistency occurs requiring an official report or involvement by the authorities, please also contact our Data Protection Officer (DPO) at firstname.lastname@example.org, and the Data Protection Authority. They have their own special and independent routines for how to handle such situations.
Sandviks AS is our registered Data Controller, address: Strandsvingen 14, 4032 Stavanger, Norway. The same company is our registered Data Processor. Two subsidiaries: Sandviks Förlag AB, and Lilleba og Herremann AS, as members of the Sandviks Group of companies, are also represented for GDPR purposes by Sandviks AS.