Skip to content
Close
havgroup_wave

Privacy policy

PRIVACY POLICY FOR CUSTOMERS AND OTHERS

Processing of Personal Data in HAV Group

Companies within HAV Group process personal data in connection with our operations.

Our processing of personal data as a data controller is based on the nature and purpose of our business. Information about the personal data we process about you, the legal basis for the processing, the purpose, duration, etc., is provided below.

If you have questions or want to know more about our processing of personal data, you can contact us – see contact details below.

1. Data Controller
The HR department at HAV Group ASA is the overall data controller, meaning it determines why and how personal data is processed, as described below.

For questions about our processing of your personal data, you may also contact: office@havgroup.no

2. Why We Collect Personal Data and What We Collect

We collect and use personal data for various purposes depending on who you are and how we interact with you.

All processing of personal data is done in accordance with applicable privacy laws, including the Personal Data Act and the General Data Protection Regulation (GDPR).

“Personal data” refers to any information that can be linked to a physical person (referred to as the “data subject”).

“Processing” refers to any action taken with personal data, such as collection, registration, organization, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, deletion, or destruction.

3. Communication and Contact
We process personal data of individuals who contact us to respond to and document communication and to reach out to others. This includes all forms of communication—physical, digital, written, and verbal.

We process names, phone numbers, email addresses, and any personal data included in the inquiry, including history/logs.

This processing is based on our legitimate interest in maintaining contact and documenting our operations (GDPR Article 6(1)(f)). We consider this necessary for handling inquiries and that the data subject’s privacy does not override these interests.

Providing personal data is voluntary but necessary for us to respond to inquiries.

We retain the data until we expect no further follow-up.


4. Recruitment
During recruitment, we process CVs, applications, certificates, interview notes, and reference checks, which contain personal data.

We use the job application service karriere.no, which acts as our data processor. If you create a profile with the service, it becomes the data controller, and its privacy policy applies.

Processing is based on:

  • Consent (GDPR Article 6(1)(a)), if obtained.
  • Pre-contractual measures (GDPR Article 6(1)(b)).
  • Legitimate interest (GDPR Article 6(1)(f)) for verifying candidate suitability.

We advise against including sensitive personal data (e.g., health, religion, political views, union membership) in applications.

Personal data is deleted once recruitment is completed unless you consent to longer retention.

 

5. Retention and Deletion of Personal Data
We retain personal data as long as necessary for the purpose it was collected and delete it in accordance with legal requirements.

Examples:

  • Data based on consent is deleted if consent is withdrawn.
  • Data processed to fulfill a contract is deleted once the contract and related obligations are fulfilled.
  • Data processed due to legal obligations is deleted once the obligation ends.

6. Disclosure of Personal Data
We do not disclose your personal data unless there is a legal basis, such as a contract or legal obligation.

We use data processors for collection, storage, or other processing. We have agreements to ensure data security.

All processing occurs within the EU/EEA.

 

7. Security of Processing
We implement necessary technical and organizational measures to secure personal data.

We ensure data is accurate, accessible, and handled according to sensitivity. We use security technologies and procedures to protect against unauthorized access, use, or disclosure.

Risk assessments are conducted, and data processor agreements ensure equivalent security standards.

Access is limited to personnel or third parties processing data on our behalf, all bound by confidentiality.

 

We have procedures for handling data breaches and will notify the Data Protection Authority within 72 hours if the breach poses a risk. Affected individuals will also be notified if the breach significantly impacts their privacy.

8. Your Rights

You have the following rights regarding your personal data. Contact us to exercise them.

We will respond within one month. If more time is needed, you will be informed.

We may ask for identity verification to ensure we only provide access to your data.

  • Information: You have the right to be informed about the personal data we process.
  • Access: You can request access to your personal data.
  • Correction and Deletion: You can request correction or deletion of incorrect data. We will comply unless we still need the data.
  • Consent-Based Processing: You can withdraw consent at any time.
  • Restriction or Objection: You can request restriction or object to processing under certain conditions (see GDPR Article 21).
  • Data Portability: You can request your data in a structured, commonly used, machine-readable format.
  • Automated Processing and Profiling: We do not perform automated processing or profiling with legal or significant effects (see GDPR Article 22).

9. Complaints

If you believe our processing violates this policy or privacy laws, you can file a complaint with the Norwegian Data Protection Authority: www.datatilsynet.no

10. Changes

Changes in our services or privacy laws may lead to updates in this policy. If we have your contact details, we will notify you. Updated information will always be available on our website.

 

This site is protected by ReCAPTCHA and the Google Privacy Policy and  Terms of Service apply