PRIVACY POLICY FOR SESAM SOFTWARE AS A SERVICE (THE SERVICES)

1. Introduction

This document contains the privacy policy for processing of personal data in relation to the Services provided by the controller Bouvet Norge AS, organisation number 996 756 246, Sandakerv. 24 C, 0473 OSLO, Postbox 4430 Nydalen, 0403 Oslo (“SESAM”).

This privacy policy only applies to personal data of the Customer processed for SESAM’s own purposes. Processing carried out by SESAM in the role of data processor for the Customer as the controller is regulated by the Terms of Service.

Anyone who uses or accesses the Services shall by doing so be deemed to have agreed to the terms of this privacy policy and such collection, use and other processing of data as set forth below.

2. Legal basis for processing of personal data

SESAM only processes personal data necessary for the purpose of fulfilling SESAM’s contractual obligations to the Customer according to the Terms of Service, or in order to take steps at the request of the Customer prior to entering into the Terms of Service.

3. How personal data is processed through the services

The processing of the Customer’s personal data by SESAM shall only cover categories of personal data that are implied under the Services for the purpose of entering into the Terms of Service, management and/or follow-up of the Terms of Service, and only to the extent necessary to fulfil such purposes.

4. Storage period for personal data

SESAM will keep personal data for as long as necessary to fulfil their contractual obligations towards the Customer, as specified in the Terms of Service. Personal data will be deleted or anonymised as soon as possible after the termination of the Customer’s account, unless it must be stored in order for SESAM to fulfil obligations in statutory law.

5. Where personal data is processed

SESAM may use sub-suppliers and transfer personal data to these sub-suppliers, including sub-suppliers in countries not considered to have adequate legislation for protection of personal data. In such cases, SESAM will only transfer personal data subject to appropriate safeguards provided by sub-suppliers, such as a legally binding and enforceable instrument between public authorities or bodies, or standard data protection clauses adopted by the EU Commission. A copy of such safeguards may be obtained by contacting SESAM.

6. Transfer of personal data to others

SESAM will not transfer or provide access to the Customer’s personal data to any third party except when

(i) With the Customer’s consent,

(ii) when required by law, or

(iii) when necessary in order to perform SESAM’s obligations to the Customer, or its statutory obligations, or to exercise its legal rights, or defend against claims or other process.

7. The customer’s privacy rights

7.1. Right of access

Upon the Customer’s request, SESAM will grant the Customer access to all Personal Data that Customer maintains about the Customer, unless such information is otherwise available to the Customer, or SESAM is legally prohibited from disclosing such records.

7.2. Right to rectification or erasure of personal data or restriction of processing

If any Personal Data prove to be incorrect or misleading, the Customer is entitled to have the data rectified.

7.3. Rights in connection with Disclosure

In all cases where SESAM is allowed to disclose Personal Data to third parties, it will ensure that the person to whom disclosure is made grants the Customer the same rights as those set forth herein with respect to the processing of Personal Data (including the right to be informed about the data maintained on the Customer and the right to correct or have corrected incorrect or misleading information).

7.4. Right to data portability

The Customer has the right to receive the personal data concerning him or her, which he or she has provided to SESAM, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from SESAM.

7.5. Right to lodge a complaint with a supervisory authority

The Customer has the right to lodge a complaint with a supervisory authority if the Customer considers that the processing of personal data relating to him or her infringes his or her rights.

8. Jurisdiction

Any dispute that may arise between the Customer and SESAM in connection with this privacy policy or SESAM’s data processing activities shall be subject to the jurisdiction specified in the Terms of Service.

9. Change of the privacy policy

SESAM may amend or repeal this privacy policy at any time by posting a revised privacy policy or a new policy document in its place. If such revised or new policy includes a significant change to the way that Personal Data may be treated, SESAM will notify the Customer of the fact that its privacy policy has changed by sending the Customer an email to the address associated with their User Account, and by posting a prominent notice on the Services.