Telenor Digital Privacy Notice

We value your privacy and take the protection of your personal data seriously. While having a privacy notice is a legal obligation under the General Data Privacy Regulation (GDPR), we also present this important information for the sake of transparency. We rely on your willingness to share your data in order to provide services to you, improve our services, and develop new products that suit your needs. This process requires mutual trust and results in mutual benefit.

Our Privacy Notice explains what personal data we collect from you, as well as why and how we process it. It also provides guidance regarding your data privacy rights and how you can exercise them.

Who is Telenor Digital and what do they do?

Telenor Digital AS is a Norwegian company and a central service provider within the Telenor Group. As such, we develop, provide, and maintain mobile apps, web applications, and backend solutions to other Telenor companies.

We also deliver services to partners outside of Telenor Group with Telenor ID, our identity management solution. You can use Telenor ID to sign in to services offered by Telenor Group as well as services offered by other companies.

To deliver these services, we step into one of two roles: data controller or data processor. It is important to be able to distinguish between these roles for the purposes of this Privacy Notice.

  • As data controller we determine why and how personal data is processed. In this case, we are your primary partner when it comes to your privacy rights. You can read more about your rights and how to exercise them below.
  • As data processor we deliver technology or services to another company (usually your mobile operator). In this case, the other company acts as the data controller and makes decisions regarding data processing, while we are legally obligated to follow their instructions. Any questions or objections regarding privacy in these cases should be directed to the data controller.

Telenor Digital as a Data Controller

Telenor Digital is the data controller for the services for which you have entered into an end-user agreement with us. This controllership extends to support services for those contracted services. For example, if you have an end-user agreement with Telenor ID, Telenor Digital is the data controller for Telenor ID and supporting services offered for Telenor ID by Customer Care, Permissions Management, and Analytics.

Telenor Digital as a Data Processer

As data processor, our contribution is a background support activity which only exists to enable services offered by another company, usually your mobile operator. In this case, the other party is the data controller and will respond to your privacy concerns, except where we use this data to improve the support services that we offer.

What are my rights regarding the collection and use of my personal data?

You have a number of important rights regarding your personal data which you can exercise by visiting your privacy settings in your service or contact Telenor Digital directly. Customer Service will handle your requests and answer your questions. These include the:

  • Right to withdraw consent: Where you have previously given consent for us to process your personal data, you can withdraw that consent any time.
  • Right to access your information: You can ask for more detail regarding the data we collect about you and how we process it.
  • Right to rectification: You can request that we correct any inaccurate personal data which we are processing. For most of our services, the simplest way to correct your data is to update your user profile yourself.
  • Right to object: When we process your personal data on the legal basis of legitimate interest, as discussed below, you have the right to object to such processing.
  • Right to erasure: You can request that we erase the personal information we hold about you. This kind of request must meet certain criteria. For example, we cannot delete information required to fulfill our contract with you.
  • Right to restrict processing: In certain cases, you may request that we cease processing of your personal data for specific purposes. For instance, you might claim that our use of your data is unlawful, but you may ask us to restrict the processing of data, as opposed to deleting it.
  • Right to portability: You have the right to receive the personal data we are processing concerning you. This pertains to the data which you have provided to us and that we are processing based on your consent or in order to perform a contract with you, provided that the data is processed using automated means. This right includes a direct transfer of your data to another controller, where technically feasible.

    Please note that the right to portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. We also will not be able to extend this right in a way that would adversely affect the rights and freedoms of others.

Please contact us if you have questions about your personal data rights. You also have the right to lodge a complaint with a supervisory authority.

What personal data does Telenor Digital process and how long is it kept?

The way we collect personal information varies depending on the services you use. In general, we obtain three types of personal data from you:

  • Direct: Information you provide to us upon our request when you subscribe to or otherwise use our services, or when you get in touch with us (for customer service reasons, for example).
  • Automatic: Data generated automatically by the use our services.
  • Indirect: Information that we may receive about you from third parties, such as providers of services you use and that integrate with our services.

Our data retention policies vary based on the purpose of processing. As a general rule, we will not keep your personal information longer than is necessary for the purposes outlined in this privacy notice.We need to keep most of your account-related data as long as you have an active account. If you choose to delete your account, we will delete your data after 30 days, except in cases where there are legal reasons to retain it.

Directly Obtained Data

When you sign up to receive one of our services, you provide us with certain personal information. This can include:

  • Required/Requested Information: Basic registration and contact information you provide when you sign up for one of our services.
  • Account Settings: Information about the preferences you choose when setting up your account, which you may also adjust later on.
  • Communications with us: Logs of your contact with us, including emails and customer notes, for example.

Automatically Obtained Personal Data

When you use our services, some information is generated automatically. This information will vary depending on the service and the device that you use.

Examples of data generated automatically:

  • The way you access our services: For example, this includes information about device models, operating systems and the time of service usage. This helps us understand how to optimise implementation i.e., with regards to certain operating systems or devices, but also to identify potential security vulnerabilities.The IP address can be used to distinguish users for example for counting purposes.
  • The way you interact with our websites: For example, this includes information about browsers used, which pages are being visited the most, on which pages users have to repeat actions, indicating that the user interface is not working as intended. This allows for responsive troubleshooting, agile development of desired features and reactive customisation of the service to your needs.

Indirectly Obtained Personal Data

We sometimes collect personal information about you from third parties in connection with services that we provide to you. This is a necessary element of integrating our services with the services provided to you by others, such as your mobile service provider.

Examples of data we obtain indirectly:

  • Telenor ID Integration with Partner Services: You may choose to use our services to enable services offered by others. For example, you could use Telenor ID as a login solution to access another company’s webshop. In that case, Telenor ID needs to communicate about you with the other service provider in order to deliver the service you have requested.
  • Customer Care: If you request customer service assistance for an issue that involves an integrated service, we may need to reach out to that service to collect additional information about your account and the problem you’ve encountered.

Why does Telenor Digital process my personal data?

Telenor Digital uses much of the personal data we process to provide you with the services you use. Your data makes these services run. This kind of data processing is referred to as “processing for the performance of contract”.

In addition, we process some data for purposes defined as “legitimate interests” under the law. This usually refers to cases where we process data to better understand your experience with our products and services. The insights we gain by analysing this kind of data help us to improve and fix our existing products, as well as develop new features to meet your needs.

Finally, there are a few use cases in which we are obligated to process personal data by applicable law.

Performance of Contract

Roughly 70% of our activities rely on data processing in order to perform our contract with our end-users.

Example: When you sign up for Telenor ID, you want a single-sign-on solution that allows you to sign in to other services easily and securely without having to provide your credentials each time. This service only works reliably if you share some basic account data with us, we can verify it (by sending you a PIN code via SMS, for example), and we can create an identity token to share with the service you intend to sign-into with Telenor ID. All of these steps require that we process data in order to provide you with the service.

Legitimate Interest

About 25% of our activities rely on data processing defined as legitimate interests.

The following is a list of our legitimate interests for data processing:

  • To improve our customer service. We are committed to providing you with quick, effective and convenient assistance, should you encounter an issue with one of our services. Quality assurance of our customer service is essential to improving our processes and meeting your needs.
  • To maintain network security. We are committed to maintain both the integrity and confidentiality of your data and the reliability of our services. Therefore, we take measures to recognise events that indicate an attack on our systems or fraudulent attempts to access or alter data. We also keep log-files, accessible only to few of our colleagues and only on documented exceptional circumstances, which allow us to investigate security incidents and learn from them.
  • To improve customer experience. We need to understand how you access our services to ensure an effective presentation of our websites and apps on your devices. This includes troubleshooting and preventive measures to maintain the stability of our services.
  • To integrate our services within the Telenor Group. Telenor Digital provides centralised services to Telenor Group, which is why your mobile service provider will exchange information with us for various administrative purposes. This includes information on the performance of our services to improve integration or supporting internal reporting.
  • To improve our performance. This includes understanding how our products are used across different markets and over time in order to optimise them accordingly. In many cases, this data will be aggregated. Such aggregated statistics do not include information that can personally identify you. We use this information for research to provide a better customer experience and to create new services.

For some specific data processing, we will ask your prior explicit consent. However, Telenor Digital rarely uses any such processing or technology; for example, we do not use automated decision making or profiling with a legal or otherwise significant effect.

Does Telenor Digital transfer personal data to Third Parties?

Third party companies help us provide and maintain our services. These third parties fall into the following categories:

  • Telenor Group: As a central service provider in the Telenor Group, we integrate and collaborate with other Telenor companies. These activities require data transfers to or from your mobile service provider or any other provider you have chosen within Telenor Group. You will know that this happens when you actively use both services together (for example, when you use Telenor ID to sign in to your MyTelenor account with your mobile service provider).
  • Partners: Occasionally, we integrate our services with partners outside the Telenor Group. In such a case, each party is responsible for their part of the data processing as a data controller.
  • External vendors: We use external vendors to host our services and to help us improve and maintain our products. These vendors are data processors to us, which means they are legally and contractually obligated to follow our instructions, maintain your data securely according to our standards, delete your data upon request, and so forth.

Finally, if we decide to sell, buy, merge or otherwise re-organise a business, we may transfer your personal information to purchasers, or partners and their advisers.

Data transfers outside of the EU/EEA

In some specific cases, we transfer data to countries outside the European Economic Area (EEA)/European Union (EU). Such transfers occur when:

  • your country of residence is outside EU/EEA, you are a subscriber of your local Telenor mobile services provider, and you use a service of ours that integrates with a service offered by your local mobile service provider; or
  • you use Telenor ID to sign in to a service based outside EU/EEA; or
  • we use the processing capacities of a vendor based outside EU/EEA.

In the first two cases, the countries to which we transfer the data are determined by the location of your mobile service provider or the location of the services you are using with Telenor ID. Unless it is necessary to transfer the data to a country outside the EU/EEA for the performance of our contract with you, we enter into standard data protection clauses adopted by the European Commission (“EU Model Clauses”).

Many of our vendors are located in the United States, however, the hosting services we purchase limit the location of processing to Ireland, which means that the data does not leave the EEA. For vendors that help us improve and maintain our products, such as web analytics, we enter into EU Model Clauses, or, where applicable, use the “Privacy Shield” programme.

In addition, the EU has preapproved certain countries that are considered as having an adequate level of data protection.

Changes to the Privacy Notice

We may update this Privacy Notice from time to time, as our data processing may change and we would like to keep you informed.

Where we think it is appropriate, and in the event that we make material changes to our privacy notice, we will also notify you that our privacy notice has been updated. By continuing to use our services after that period you confirm your continuing acceptance of this privacy notice.

How can I contact Telenor Digital regarding my privacy rights?

If you have privacy-related questions or concerns, the quickest way to get in touch is the Your Rights section of our Privacy service (if you have a Telenor ID). Customer Service will respond to your request via email as soon as possible, and refer you to the Data Protection Officer.

If you do not have a Telenor ID, please send an email to our Data Protection Officer directly at DPO@telenordigital.com

Telenor Digital AS
Snarøyveien 30
1331 Fornebu, Norway
Org. No. NO 996 516 288