Privacy and data protection notice

On this page you can read about how we process your personal data here at NoTies Consulting (Bedre Bedrift AS), including our websites (noties.consulting, join.dpohub.eu, community.dpohub.eu).

Controller and contact information

This notice explains how we process personal data in our business as per the General Data Protection Regulation (GDPR) and applies to our websites, including this one, join.dpohub.eu and community.dpohub.eu.

Our contact details are:

  • Company name: Bedre Bedrift AS (dba. NoTies.Consulting)
  • Company number: Foretaksregisteret 921 119 224 MVA (🇳🇴 registered limited liability company)
  • Email address: info [at] gdprstart.com

Please contact us at if you feel that any information here is unclear or missing. You can read about your data protection rights below.

This notice was last updated: August 2024.


How we get your personal data

We typically process personal data about potential and existing customers, students, mentees, newsletter subscribers, website visitors, vendors and partners.

We process personal data when you:

  • buy our products or services, including subscribing to the DPO Hub, joining a workshop etc.
  • subscribe to our free content, including Rie's DPO Letters
  • sign up for and participate in our events, free or paid
  • respond to one of our surveys
  • provide us with your contact details, e.g. give us your business card
  • contact us via phone, text, email, social media or our website(s)
  • otherwise use our website(s), e.g. submit a form

It is voluntary to provide us with personal data, but if you choose not to, we might not be able to provide you with our services. We don't rent, buy or sell personal data from or to others or use automated decisions or profiling in the processing of your personal data.


Purpose, lawful basis and retention periods

We only process your personal data when we have a purpose and a lawful basis as per the GDPR Article 6(1)—in our case:

  • a) Your consent, for example to receive our free newsletter
  • b) We have a contractual obligation (contract) with you, for example to deliver speaking services or digital products
  • c) We have a legal obligation, typically related to accounting, bookkeeping, taxes and other business operations
  • f) We believe we have a legitimate interest, typically to continually improve and run an effective business
💡
We have solid routines in place and regular GDPR review days, where we formally assess our privacy and data protection work with the intention to amend, update and, if necessary, delete personal data.

Details on the processing of your personal data

In this section, we detail when and how we process your data, the purposes behind it, and our legal grounds. We also specify the retention periods for each type of processing.

Website analytics

We use Fathom Analytics (privacy policy), software built with privacy at the core, for website analytics. Your IP address (which we can't see) is only processed briefly and no data is stored over time. The lawful basis is our legitimate interest to continually improve our websites and business.

This processing applies to the following websites:

  • noties.consulting
  • dpohub.eu
  • join.dpohub.eu
  • community.dpohub.eu

You visit this website (noties.consulting)

This website is built with Ghost CMS (privacy policy), hosted on Digital Ocean with data stored in the EEA. We aim to limit third-country transfers and don't use marketing or ads cookies. We use Fathom Analytics for website analytics, as described above.

You visit our website join.dpohub.eu

The join.dpohub.eu website is built on Kajabi CMS (privacy policy), with data stored in the US. We aim to limit third-country transfers and don't use marketing or ads cookies. We use Fathom Analytics for website analytics, as described above. Read the cookie notice here.

When you submit a contact form, it’s stored in Kajabi, and we receive an email copy. Personal data includes what you submit, plus the date and time. This is to facilitate communication based on our legitimate interest in replying to your inquiry. We delete data regularly, within a year. You can also subscribe to our free newsletter—details in the next section. 👇

💌 You subscribe to Rie's DPO Letters (join.dpohub.eu)

On our website join.dpohub.eu you can sign up for our free newsletter, sent 1-2 times a month. You must provide an email address and can share your name. The lawful basis is your consent.

The newsletter includes Rie's privacy and data protection musings, handy tips on being an Effective DPO, tidbits related to the Grumpy GDPR podcast (not shared elsewhere!), and we sometimes promote our services.

Kajabi's newsletter analytics (opens/clicks) can't be disabled. As consent doesn't seem right in this scenario, we base this processing on our legitimate interest to run our business effectively. If this processing concerns you, don't subscribe—follow Rie's LinkedIn posts instead.

If you subscribe and then change your mind, you can object or withdraw consent by unsubscribing via the link in any newsletter, and we'll delete this data within a month.

PS: We used an EEA-based service before but switched to a US one for several reasons. First, however, we redid a complete GDPR due diligence and risk assessment of Kajabi, including all six forms (vendor, system, privacy policy, DPAg, and more)! Listen to our Grumpy GDPR podcast discussion for more details.

🤝 You join the The DPO Hub (dpohub.eu)

If you subscribe to the DPO Hub, you're effectively becoming a customer so please refer to the section below. You can read the full privacy notice here.

💛 You join the The DPO Hub Community (community.dpohub.eu)

As a DPO Hub Founding Member, you get free access to the DPO Hub Community (community.dpohub.eu), hosted on Kajabi CMS (privacy policy), with data stored in the US. We aim to limit third-country transfers and don't use marketing or ads cookies. We use Fathom Analytics for website analytics, as described above, and Kajabi shows join date, logins and last activity date. Read the cookie notice here.

The purpose of the Community is to exchange thoughts, ideas and interact with other members, meaning you’ll share plenty of personal data. To get access, you need an account and must share your email address and name, and create a password. The legal basis for this is contract, which you enter into by submitting the form, simultaneously accepting the terms.

If you leave the Community, your account will be removed from the platform, but your profile will only show as inactive, and your interactions remain visible. You can change your profile name before you leave. 

There is, however, currently no way to delete all your data automatically, so if you want your contributions removed, you must do it yourself manually. When you join the Community, you agree to this as per the Community terms; the legal basis otherwise is our legitimate interest to facilitate a dynamic and lively community and maintain a complete history of conversations for all members. 

PS: We're in dialogue with Kajabi to try to get a better erasure process in place.

🎙️ You guest the Grumpy GDPR podcast

If you're one of our awesome podcast guests, we'll process your personal data such as name, email, correspondence, calendar invites and everything related to the actual recording, including audio.

The purpose is to facilitate the dialogue around the podcast episode, record, and share the final audio. After you have initially agreed to be a podcast guest, our lawful basis for publishing it is f), where our legitimate interest is to share the audio with our privacy and data protection community to contribute to everyone's continued learning. As a general rule, we don't delete episodes so the recording will exist for as long as the podcast does (which is hopefully for a long time!). If you for any reason want to request deletion of your contribution, please reach out to discuss.

PS: Note that the controllers for this particular processing are your hosts Miloš Novovic and Rie Aleksandra Walle.

You communicate with us

When you contact us through our website (contact form, blog comments, chat), email, phone (call, text message), social media and/or give us your business card, we process personal data. Depending on where and how you contact us, this may include your name, contact details, IP address and other information you choose to send to us.

The purpose is to be able to respond to your inquiries and, on some occasions, to keep records in case of complaints or legal claims. The lawful basis is f), where the legitimate interests are to be able to respond to your inquiries and, on some occasions, to keep records in case of complaints or legal claims. We review this data at our regular GDPR review day and delete personal data as appropriate. Due to the nature of our business, we can keep this type of personal data up to three years, or five years if we have a legal obligation in accordance with Norwegian accounting and bookkeeping rules.

You purchase products or services

When you purchase products and services from us, we process personal data such as your name, contact details, order and payment details as well as purchase history. If your purchase includes digital delivery, for example over video (recorded or not), either one to one between us and you, or one to many between us and a group of people, we also process personal data such as profile picture, video (picture and sound), messages (chat) and IP address. Depending on the type of purchase, we may share the content from or the recording, or the entire recording, with other people, e.g. where the service is structured as a group program (for example mentorship). The recording will not be shared with unauthorized people. For services where we use a webinar system, please read more below.

The purpose is to be able to fulfil our obligation to deliver products and services you have purchased and to manage the customer relationship. The lawful bases are b) contract and c) legal obligation related to accounting, tax and other business rules and regulations we are required to abide by.

We process the data for as long as we have a legal obligation as per any applicable rules and regulations we are bound by. For example, we are required by law to store business records, which could include personal data, for a minimum of five years for accounting and tax purposes as per Norwegian regulations. In addition, we store data from customer projects/engagements, for up to five years following the end of the customer relationship, where the purpose and our legitimate interest (cf. the GDPR Article 6(1)(f)) is to be able to document deliverables and defend against legal claims.

You attend an event

When you attend our events that are free of charge, we process personal data such as your name and contact details. For paid events, we also collect order and payment information. The purpose is to be able to process your registration and attendance, and, if applicable, your payment. The lawful basis is a) consent, or, for paid events, b) contract and c) legal obligation related to accounting, tax and other business rules and regulations we are required to abide by. If we collect any information about dietary and/or access requirements, we also need your consent under GDPR Article 9(2)(a).

We may also use your data to send you an evaluation of the event you attended, to invite you to other relevant events and/or to offer relevant products and services. The lawful basis is f), where our legitimate interest is to offer you relevant products and services, we think you will be interested in. If you do not wish to receive such messages, you will have an easy way to opt out, for example through an unsubscribe link in our emails. The data is kept for up to two years after you requested access to the content unless you subscribe to e.g. our newsletter and/or are a customer of ours.

You respond to a survey

Responding to our evaluations and surveys are voluntary. We process personal data such as your name, contact details and other information you choose to share with us. Some evaluations or surveys may be anonymous, and in such cases, we do not process any personal data.

The purpose is to gather your feedback so that we can continuously improve our products and services, as well as provide you with better customer service in the future. The lawful basis is a) consent. We keep this data until you ask us to delete them, or at the latest up to two years after you responded to the survey.

You supply services to or collaborate with us

When you enter into an agreement with us either as a vendor, partner or processor, we process personal data such as your name, contact details and correspondence. The purpose is to be able to enter into this agreement and to respond to your inquiries and the lawful basis is b) contract. We review this data at our regular GDPR review day and delete personal data as appropriate, however no later than five years after the contract has been terminated. We process other communication data as per the first paragraph in this chapter, please see above.


Whom we share personal data with

To run our business efficiently and securely, we sometimes share your personal data with other parties:

  • Public authorities we are obliged to report to (in Norway)
  • Our accountant
  • Data processors: providers of services that process your personal data on our behalf
  • IT support, if necessary

We enter into a data processing agreement with anyone who processes data on our behalf, ref. the GDPR Article 28(3).

We use processors for:
  • Email, calendar and digital meetings
  • Accounting/bookkeeping and invoicing
  • Cloud storage
  • Our websites with online stores, payments and web portals (where you access digital products you purchase from us or sign up for the newsletter)
  • Newsletters
  • Project management, timekeeping, digital notebook and scheduling
  • Webinars
  • Signing documents electronically
  • Surveys and customer satisfaction feedback

To protect our business we don't publish all the details about our processors. If you'd like to know more about our processing and whom we share your personal data with, please contact us.

We conduct rigorous due diligence on every processor before deciding to use them, as well as regular audits of existing ones in line with the Danish DPA's methodology.


Transfer of personal data outside the EU/EEA

In short: we store data in the EEA where feasible. If you have any questions about our use of third country-based processors, please contact us.

We do a thorough due diligence on every processor we use in our business, where we (among other things) assess the quality and security of their website (and their use of potentially invasive ads/marketing cookies), privacy notice (if it’s in line with the GDPR), review data processing agreements, general GDPR information, whether they have a DPO and (if applicable) a European representative, their use of sub-processors, if there are know security or privacy breaches, and technical and organisational security measures.

We also carry out a risk assessment for each processor—especially those located in or store data in third countries. Finally, we assess the processor against the processing activity in question. All use of processors and storage of personal data in third countries has been thoroughly considered and (risk) assessed.

Third-country processors we use are (with HQ country/country of storage):

  • Kajabi (USA/USA): email address, name, data from purchase form (except payment card details), Stripe ID, payment details, last login date etc.
  • Stripe (USA/USA): email address, name, address, data from purchase form, purchase and payment information, last four digits of payment card details, IP address, metadata from Kajabi etc.
  • Fastmail (Australia/USA) or Proton (Switzerland/Switzerland & Germany): email confirmation with purchase information (name and email address)

Otherwise in our business we use Fastmail and Proton for email correspondence and calendar invites, Microsoft OneDrive as cloud provider, Forms for surveys, and Teams or Whereby for meetings and webinars. When you register for a meeting, you must accept their terms.

The transfer tool for processors in third countries is either an adequacy decision, the EU Standard Contractual Clauses or your explicit consent. Kajabi, Stripe and Microsoft are certified under the EU-US Data Privacy Framework. Fathom Analytics is based in Canada and falls under their adequacy decision.

If you’d like more information about how we process your personal data, please contact us.


Information security

We do take information security seriously—it's not just a generic statement here. For example, we take regular backups (including externally stored ones), use SSL on our websites, strong passwords, a password manager, encryption and two-factor authentication to secure all our data and prevent unauthorised persons from accessing, altering, deleting, or in any way affecting the data we store, including your personal data.

We only allow others to access and/or process your personal data in accordance with our instructions, and only when necessary (e.g. when we require IT support).

We've implemented a policy for technical and organisational measures and a routine for managing data breaches. If we experience a personal data breach, i.e. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, and it poses a medium to high risk for the people affected, we will notify 🇳🇴 Datatilsynet (or other relevant DPAs) within 72 hours. If the risk is deemed high for the people affected, we will also notify them directly, if possible.


Your data protection rights

  • Access and rectification: You can request access to or a copy of the information we process about you and ask us to rectify any incorrect data.
  • Erasure or restriction: You may ask us to delete and/or restrict our processing of your data.
  • Object to processing: You may ask us to stop processing your data.
  • Data portability: You may ask us to transfer your data to you or to another organisation.
  • If you’re unhappy about how we process your data, you have a right to complain to the national data protection authority (in Norway: Datatilsynet). But please contact us first as we're sure we can resolve whatever issue you have. 😊

Also note that you can always ask for any right under the GDPR, but we might not be able to fulfill your request, for example where we're required by law to process certain personal data, or we believe we have a legitimate interest to do so.

Please contact us if you have any questions about or want to exercise one of your rights. You are entitled to a reply within a month, but we'll most likely respond way faster!

Spread the word