Schibsted Norge AS’ processing of personal data about customers, partners, and advertisers’ employees in connection with advertising sales
1. Information About the Processing of Personal Data and Data Controller
Schibsted Norge AS collects and processes personal data about our customers, partners, and employees of advertisers in connection with advertising sales. We are responsible for processing this data securely, in accordance with legal requirements and with the expectations of our advertisers.
Schibsted Norge AS is the data controller for the processing of personal data described here.
The information provided here applies to personal data processing related to Schibsted’s advertising sales and does not include processing or collection of personal data related to users on Schibsted’s websites. If you want to learn more about how we collect and manage user data, you can read more on our Schibsted account information page, which you can find here.
2. The Personal Data Act
On 25 May 2018, new legislation replaced the previous data protection laws in the EU/EEA. In Norway, a new Personal Data Act entered into force on 20 July 2018. The new legislation is based on the EU General Data Protection Regulation (GDPR). The information in this document is structured according to GDPR’s rules on what information you have a right to receive.
3. Collection and Processing of Personal Data in Schibsted’s Advertising Business
The personal data Schibsted collects in connection with advertising activities is primarily used to carry out the sales process and the agreement with the customer, and to maintain contact with our active customers. This may include storing names and phone numbers to follow up a customer contact after a sales meeting, or processing personal data for order tracking and invoicing. Another example is storing contact information for a person working at a company that is a customer of Schibsted under an agreement. More detailed information about the purposes of processing personal data can be found in section 7 below.
Schibsted also stores personal data to maintain a complete accounting record in accordance with the Bookkeeping Act. This includes, for example, the names of customer references stored in invoices.
How do we collect personal data?
We collect personal data in the following ways:
When a person fills out one of our online contact forms
When a person communicates with our sales representatives or partners to purchase advertising placements
By collecting information about contact persons from company websites or directories such as gulesider.no
When a person registers to use our services, for example through FINN.no or EasyAd
From third-party data providers, such as IPER (a data supplier that collects company information from the Brønnøysund Register Centre and enriches it with data from other public sources)
Through participation in our events
When we receive data directly from an individual, a link to this privacy statement will be made available at the time the information is collected. For all processing of personal data described in this statement, the customer and contact person is registered in our customer system. When contact persons are registered, an email with a link to this privacy statement is automatically and immediately sent to the person's email address. When the information is not collected directly from the individual, information about the processing is provided immediately after processing begins.
4. Categories of Personal Data (What Personal Data Is Processed)
The table below provides an overview of the personal data collected in connection with Schibsted’s advertising operations. The data collected will vary depending on whether you contact us as a private individual or on behalf of a company.
| Category | Description |
|---|---|
| Name | Name of the customer, or name of a contact person at a company that is a customer (advertiser) of Schibsted. |
| Phone number | Phone number of the customer or contact person. |
| Email address | Email address of the customer or contact person. |
| Function / Role | The role and function of a contact person representing a company that is a customer of Schibsted. |
| Employer | Customer/partner/advertiser represented by the contact person. |
| Organization number | Organization number of a company. |
| Meeting notes | Notes from meetings and conversations with our sales staff. |
| Address | Address of the customer (advertiser). |
| Email correspondence | Emails containing personal data sent or received via your email address. |
| Newsletter and invitation response data | Information on whether recipients opened newsletters/invitations and how many times. |
| Events | Overview of events a person has registered for or attended. |
| Purchase history | Information about purchased products, including time and price. |
5. Storage Period
Personal data is stored for a specific period before being deleted. The table below describes what data is stored and for how long.
Customer record
(A summary of the customer – legal information, contact details, associated sales reps, contact persons, activities, and purchase history)
All Norwegian companies from the Brønnøysund Register Centre are stored and maintained in the system, including information about contact persons.
12 months after the last activity or transaction, all personal data (contact persons) associated with the company is deleted.
Personal data in the customer record
When a customer is marked as inactive (no activity or revenue for 12 months*), all personal data (including contact persons) is deleted.
If personal data about a contact person was collected from public sources and the customer is not active, the contact will be deleted no later than 3 months after collection unless a customer relationship is established.
If a contact person specifically requests deletion, we delete both the contact and all related information.
Accounting documentation
Primary documentation: 5 years
Secondary documentation: 3.5 years
Meeting notes and customer-related notes
Notes linked to the company are kept as long as the company exists in the system.
Notes linked only to a contact person are deleted when the contact person is deleted.
Meetings
Meeting entries linked to a company are kept as long as the company exists.
Meeting entries linked only to a contact person are deleted when the contact person is deleted.
Newsletter and event response information
This information is tied to the contact person.
It is retained as long as the contact person exists in the system.
When the contact person is deleted, this information is also deleted.
Survey responses are stored for 30 days before being anonymized.
*A customer is considered active for up to 12 months after the last activity and/or revenue. After this period, the customer is no longer considered active.
6. Purpose and Legal Basis for Processing Personal Data
To process personal data, a legal basis is required. The Personal Data Act provides several options. The table below (not included in your excerpt) explains the purposes and legal bases for Schibsted’s processing of personal data.
Legal bases:
Contract: Processing necessary to enter into or fulfill an agreement. Without the data, we cannot provide products or services.
Legal obligation: In some cases, we are legally required to process certain personal data.
Legitimate interest: Processing is permitted if Schibsted has a legitimate interest that does not override the individual's rights and privacy.
7. Use of Data Processors
We use suppliers who process information about companies and individuals on our behalf. Some of these suppliers will have access to personal data. Examples include data storage services and customer management systems.
These suppliers act as data processors, meaning they may only process data according to our instructions and only for the purpose of delivering the service to us. They may not use the data for their own purposes. We thoroughly assess all suppliers, including their information security, and enter into written data processing agreements in accordance with legal requirements.
8. Your Rights and How to Exercise Them
As a customer, partner, or advertiser employee, you own the personal data we store. You have the right to access, correct, and in some cases delete the data. Below is an overview of your rights:
Right of access: You may request information on what personal data we process about you.
Right to rectification: You may request correction of inaccurate information.
Right to erasure (“right to be forgotten”): You may request deletion or anonymization of your data.
Right to object and restrict processing: You may object when processing is based on legitimate interest, and we will stop processing unless legally required.
Right to data portability: You can request your data in a digital format and, where technically possible, have it transferred to another provider.
A full overview is available from the Norwegian Data Protection Authority (Datatilsynet). Please note that some legal exceptions apply.
9. How to Contact Us With Privacy Questions or to Exercise Your Rights
To exercise your rights or ask questions about our processing of personal data, please contact us at:
📧 snocrm@schibsted.no
📍 Schibsted Norge AS
Akersgata 55, 0180 Oslo
Org. no. 996334767
If you have concerns or suggestions for improvement, you may contact Schibsted Media’s Data Protection Officer (DPO).
You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).