Privacy and data protection notice

On this page you can read about how we process your personal data here at NoTies Consulting (Bedre Bedrift AS), and you can trust that we treat them with great respect and care!

๐Ÿ’ก Did you know that you have to fully tailor a privacy notice to your own business? Generic ones don't cut it anymore, not for transparency reasons and not legally (cf. recent hefty fines-cases).

Controller and contact information

This privacy notice explains how we process personal data in our business as per the General Data Protection Regulation (GDPR). This privacy notice is applicable to our websites, including this one and gdprstart.com.

Our contact details are:

  • Company name: Bedre Bedrift AS (dba. NoTies.Consulting)
  • Company number: Foretaksregisteret 921 119 224 MVA (Norwegian registered limited liability company)
  • Email address: info [at] gdprstart.com

If you feel that any information here is unclear, or missing, please do not hesitate to reach out.

This privacy notice was last updated: May 2024.

Your data protection rights

  • Your rights of access and rectification: You may request access to or a copy of the information we process about you and ask us to rectify any incorrect data.
  • Your right to erasure or restriction: In some circumstances, you may ask us to delete and/or restrict our processing of your data, but we cannot delete any data we are required to process.
  • Your right to object to processing: In some circumstances, you may ask us to stop processing your data.
  • Your right to data portability: In some circumstances, you may ask us to transfer your data to you or to another organisation.
  • Also, if youโ€™re unhappy about how we process your data, you have a right to complain to the national data authority (in Norway: Datatilsynet). We hope, however, that you will contact us first so that we can try to resolve the matter for you in a satisfactory way.

Please contact us if you have any questions about or want to exercise one of your rights. You are entitled to a reply within 30 days, but we'll most likely respond way faster.

How we get your personal data

We typically process personal data about leads, customers, students, mentees, newsletter subscribers, website visitors, vendors and partners.

We process personal data when you:

  • buy our products or services, including subscribing to the DPO Hub, joining a workshop etc.
  • subscribe to our free content, including The Curated DPO newsletter
  • sign up for and participate in our events, free or paid
  • respond to one of our surveys
  • provide us with your contact details, e.g. give us your business card
  • contact us via phone, text, email, social media or our website
  • otherwise use our website, e.g. submit a form

It is voluntary to provide us with personal data, but if you choose not to, we may not be able to provide you with our services. We don't rent, buy or sell personal data from or to others or use automated decisions or profiling in the processing of your personal data

Purpose, lawful basis and retention periods

We only process your personal data when we have a purpose and a lawful basis for doing so. Under the GDPR Article 6(1), the lawful bases we rely on, are:

  • a) Your consent
  • b) We have a contractual obligation (contract)
  • c) We have a legal obligation
  • f) We have a legitimate interest

As a general rule, personal data shall not be processed and kept for longer than necessary to fulfil the purpose for processing. To comply with this, we have regular GDPR review days where we formally assess our privacy and data protection work with the intention to amend, update and, if necessary, delete personal data. We retain data for as long as we are required to as per applicable legal obligations related to for example accounting, tax or labour laws etc.

Your personal data is only kept for as long as we have a purpose and a lawful basis:

  • Until you withdraw your consent (e.g. for email marketing)
  • For as long as we have a contractual obligation with you (e.g. for sales)
  • For as long as we have a legal obligation in accordance with accounting and bookkeeping rules and/or other legal requirements and regulations we must abide by
  • For as long as we have a legitimate interest or until you ask us not to process your data in such a way (e.g. surveying existing customers)
๐Ÿ’ก
You can always withdraw your consent for any data processing based on consent, and you can also reach out to us at any time if youโ€™d like us to stop processing and/or ask us to delete any of your data.

We have routines in place to ensure that personal data is deleted from all relevant systems when we no longer have a purpose and/or legal basis to continue to process them.

Details on the processing of your personal data

In this section we describe in detail when and how we process your data, for what purposes and our legal grounds to do so. We also specify the retention periods for the processing. Further below we describe which processors we use.

We process personal data when:

You visit our website on www.noties.consulting

This website is built with Ghost CMS (privacy policy and DPA) Pro version hosted on Digital Ocean with data stored in the EEA. We carefully selected (and pay for) a theme optimized for the GDPR to avoid third-country transfers. No cookies should be set when visiting and surfing our site but if you come across anything nefarious, please reach out!

We use Fathom Analytics (privacy policy and DPA) to analyse which pages people visit, for how long etc. Fathom Analytics was built with privacy as their business model. Your IP address is processed briefly but we can't identify you from this. Read more about the technology here. The purpose of using this tool is to assess our website traffic, in the most privacy-friendly way as possible, so that we can continually improve our website and business. The lawful basis is f) where our legitimate interests are to continually improve our website and business. As per the explanation over, no data is stored over time.

๐Ÿ’Œ You subscribe to our newsletter The Curated DPO

We send out email newsletters 1-2 times a month and these might include information about our products and services. To become a subscriber, you must provide your email address and can share your name if you want to. 

The purpose is to share updates and articles (and sometimes tidbits related to the Grumpy GDPR podcast that we don't share elsewhere). The lawful basis is a) consent and you can easily unsubscribe at any time by clicking the "unsubscribe" link in any such newsletter.

We're super stoked that we finally found an email service provider (ESP) which allowed us to completely disable analytics! This action is permanent, i.e., we cannot enable it for our account again. ๐Ÿ”ฅ The ESP is based in Germany and all data is stored there (they don't have any sub-processors outside of the EEA either).

We process the data for as long as you subscribe, after which it will be deleted at our next GDPR review day.

๐Ÿค You join the The DPO Hub

If you subscribe to the DPO Hub, you're effectively becoming a customer so please refer to the section below. You can read the full privacy notice here.

๐ŸŽ™๏ธ You guest the Grumpy GDPR podcast

If you're one of our awesome podcast guests, we'll process your personal data such as name, email, correspondence, calendar invites and everything related to the actual recording, including audio.

The purpose is to facilitate the dialogue around the podcast episode, record, and share the final audio. After you have initially agreed to be a podcast guest, our lawful basis for publishing it is f), where our legitimate interest is to share the audio with our privacy and data protection community to contribute to everyone's continued learning. As a general rule, we don't delete episodes so the recording will exist for as long as the podcast does (which is hopefully for a long time!). If you for any reason want to request deletion of your contribution, please reach out to discuss.

PS: Note that the controllers for this particular processing are your hosts Miloลก Novovic and Rie Aleksandra Walle.

You communicate with us

When you contact us through our website (contact form, blog comments, chat), email, phone (call, text message), social media and/or give us your business card, we process personal data. Depending on where and how you contact us, this may include your name, contact details, IP address and other information you choose to send to us.

The purpose is to be able to respond to your inquiries and, on some occasions, to keep records in case of complaints or legal claims. The lawful basis is f), where the legitimate interests are to be able to respond to your inquiries and, on some occasions, to keep records in case of complaints or legal claims. We review this data at our regular GDPR review day and delete personal data as appropriate. Due to the nature of our business, we can keep this type of personal data up to three years, or five years if we have a legal obligation in accordance with Norwegian accounting and bookkeeping rules.

You purchase our products and services, including digital ones

When you purchase products and services from us, we process personal data such as your name, contact details, order and payment details as well as purchase history. If your purchase includes digital delivery, for example over video (recorded or not), either one to one between us and you, or one to many between us and a group of people, we also process personal data such as profile picture, video (picture and sound), messages (chat) and IP address. Depending on the type of purchase, we may share the content from or the recording, or the entire recording, with other people, e.g. where the service is structured as a group program (for example mentorship). The recording will not be shared with unauthorized people. For services where we use a webinar system, please read more below.

The purpose is to be able to fulfil our obligation to deliver products and services you have purchased and to manage the customer relationship. The lawful bases are b) contract and c) legal obligation related to accounting, tax and other business rules and regulations we are required to abide by.

We process the data for as long as we have a legal obligation as per any applicable rules and regulations we are bound by. For example, we are required by law to store business records, which could include personal data, for a minimum of five years for accounting and tax purposes as per Norwegian regulations. In addition, we store data from customer projects/engagements, for up to five years following the end of the customer relationship, where the purpose and our legitimate interest (cf. the GDPR Article 6(1)(f)) is to be able to document deliverables and defend against legal claims.

You attend our events, including digital ones

When you attend our events that are free of charge, we process personal data such as your name and contact details. For paid events, we also collect order and payment information. The purpose is to be able to process your registration and attendance, and, if applicable, your payment. The lawful basis is a) consent, or, for paid events, b) contract and c) legal obligation related to accounting, tax and other business rules and regulations we are required to abide by. If we collect any information about dietary and/or access requirements, we also need your consent under GDPR Article 9(2)(a).

We may also use your data to send you an evaluation of the event you attended, to invite you to other relevant events and/or to offer relevant products and services. The lawful basis is f), where our legitimate interest is to offer you relevant products and services, we think you will be interested in. If you do not wish to receive such messages, you will have an easy way to opt out, for example through an unsubscribe link in our emails. The data is kept for up to two years after you requested access to the content unless you subscribe to e.g. our newsletter and/or are a customer of ours.

You respond to our evaluations or surveys

Responding to our evaluations and surveys are voluntary. We process personal data such as your name, contact details and other information you choose to share with us. Some evaluations or surveys may be anonymous, and in such cases, we do not process any personal data.

The purpose is to gather your feedback so that we can continuously improve our products and services, as well as provide you with better customer service in the future. The lawful basis is a) consent. We keep this data until you ask us to delete them, or at the latest up to two years after you responded to the survey.

You supply services to or collaborate with us

When you enter into an agreement with us either as a vendor, partner or processor, we process personal data such as your name, contact details and correspondence. The purpose is to be able to enter into this agreement and to respond to your inquiries and the lawful basis is b) contract. We review this data at our regular GDPR review day and delete personal data as appropriate, however no later than five years after the contract has been terminated. We process other communication data as per the first paragraph in this chapter, please see above.

You use our website and/or online course platform hosted on Kajabi - pertaining only to gdprstart.com

When you use the website (built on Kajabi), we process as little personal data as possible and use only strictly necessary cookies where possible. When you submit a form on the website, we receive a notification in our inbox, but weโ€™re not able to see your IP address. Read more in our Cookie notice.

When you become a student or member of ours, we process personal data such as your name, contact details, IP address, order and payment details as well as purchase history. The purpose is to be able to fulfil our obligation to deliver products and services you have purchased, such as courses and memberships, and to manage the customer relationship. The lawful bases otherwise are b) contract and c) legal obligation related to accounting, tax and other business rules and regulations we are required to abide by.

Kajabi has integrated analytics showing sign in count, last activity date, quiz results and progress. This functionality is native and can't be disabled. If you don't want your data to be analysed in this way, please don't purchase access to or use our systems. If you have purchased a product or a service, note that you will lose access to your content if you don't want to continue to use our platform. We don't use this data for any purpose, but we still need a lawful basis, which is f), where the legitimate interest is to be able to provide digital products and services. We process the data for as long as you are a member/student, after which it will be deleted shortly after, at the latest within one year.

Whom we share personal data with

To run our business efficiently and securely, we sometimes will have to or will share your personal data with other parties:

  • Public authorities we are obliged to report to (in Norway)
  • Our accountant
  • Data processors: providers of services that process your personal data on our behalf*
  • IT support, if necessary

We require that all such recipients secure data in accordance with good information security.

We enter into a data processing agreement with anyone who processes data on our behalf, as per the requirements in the GDPR Article 28(3).

* We use processors for:

  • Email, calendar and digital meetings
  • Accounting/bookkeeping and invoicing
  • Cloud storage
  • Our websites with online stores, online payments and online web portals (where you access digital products you purchase from us)
  • Business receipts
  • Newsletters
  • Project management, timekeeping, digital notebook and scheduling
  • Webinars
  • Signing documents electronically
  • Surveys and customer satisfaction feedback

To protect our business we don't publish all the details about our processors. If you'd like to know more about our processing and whom we share your personal data with, please contact us.

That said, note that we conduct rigorous due diligence on every processor before deciding to use them, as well as regular audits of existing ones in line with the Danish DPA's methodology.

Transfer of personal data outside the EU/EEA

In short: we store data in the EEA wherever feasible. If you have any questions about our use of third country-based processors, please contact us.

Weโ€™d like to highlight that weโ€™ve taken every precaution to secure your personal data in the safest way possible with the systems and tools that we use. We donโ€™t collect more data than we need, store them no longer than whatโ€™s strictly necessary, and we have robust internal security measures (use of password manager, strong passwords (40+ characters, where possible), multifactor authentication (where possible), regular backups, including externally stored ones, strict data sharing routines etc.).

We do a thorough due diligence on every single processor we use in our business, where we (among other things) assess the quality (and security) of their website, privacy notice (if itโ€™s in line with the GDPR), review data processing agreements, general GDPR information, whether they have a Data Protection Officer and (if applicable) a European representative, their use of sub-processors, and technical and organizational security measures.

We also carry out a risk assessment for each processor - especially those located in third countries and/or that store personal data in third countries. If so, we review transfer tools and also do a transfer impact assessment. Finally, we assess the processor against the processing activity in question. All use of processors and storage of personal data in third countries has been thoroughly considered and (risk) assessed.

Processors we use for your online purchase (with HQ country/country of storage) are:

  • Kajabi (USA/USA): data from purchase form (except payment card details), Stripe ID, payment details, last login date etc.
  • Stripe (USA/USA): data from purchase form, purchase and payment information, last four digits of payment card details, IP address, metadata from Kajabi etc.
  • Fastmail (Australia/USA) or Proton (Switzerland/Switzerland & Germany) : Email confirmation with purchase information (name and email address).

Otherwise in our business we use Fastmail and Proton for email correspondence and calendar invites, Microsoft OneDrive as cloud provider, Forms for surveys, and Teams or Whereby for meetings and webinars. When you register for a meeting, you must accept their terms.

The transfer tool for processors in third countries is either an adequacy decision, the EU Standard Contractual Clauses or your explicit consent. Kajabi, Stripe and Microsoft are certified under the EU-US Data Privacy Framework. Fathom Analytics is based in Canada and falls under their adequacy decision.

If youโ€™d like more information about how we process your personal data, please contact us.

Information security

We take information security seriously and we will always do our utmost to safeguard your personal data in the best possible way. For example, we use SSL on our websites, strong passwords, a password manager, encryption and two-factor authentication to secure our data and prevent unauthorized persons from accessing, altering, deleting, or in any way affecting the data we store, including your personal data.

We only allow others to access and/or process your personal data in accordance with our instructions, and only when strictly necessary (e.g. when we require IT support).

We have implemented a policy for technical and organisational measures and a routine for managing data breaches. If we experience a personal data breach, i.e. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, and it poses a medium to high risk for the people affected, we will notify the national data authority within 72 hours. If the risk is deemed high for the people affected, we will also notify them directly, if possible.

Spread the word