Privacy policy

Find information about our privacy policy.

When does the Norwegian Petroleum Directorate collect personal information?

The NPD mainly processes information you have provided to us for one of these reasons:

  • General administration (applications, reporting, announcements, guidelines, etc.)
  • Access pursuant to the Freedom of Information Act
  • Registration for a course or seminar
  • Subscription to our newsletter
  • Applications for jobs with the NPD

We can also receive information indirectly, for example if an employee has listed you as next-of-kin, or a job application has listed you as a reference.

Your rights

You can exercise your rights by contacting our Data Protection Officer, or by sending an email to postboks@npd.no. You are entitled to a response without undue delay, within 30 days at the latest.

Access to own information

You can request a copy of all information we process regarding you.

Correction of personal information

You can request that we correct or supplement information that is incorrect or misleading.

Deleting personal information

In certain situations, you can request that we delete information about you.

Restriction in handling personal information

In some situations, you can also ask us to restrict the handling of personal information about you.

Object to the processing of personal information

If we process information about you on the basis of our tasks, or on a balancing of interests, you have the right to object to our processing of information about you.

Data portability

If we process information about you based on consent or contract, you can request that we transfer the information about you to you or to another person responsible for processing.

You can appeal our processing of personal information

We hope that you will let us know if you believe that we are not complying with the rules in the Personal Data Act. Contact our Data Protection Officer first.

You can also lodge an appeal over our processing of personal information. You do this directly to the Norwegian Petroleum Directorate, but the appeal will be forwarded to the Norwegian Data Protection Authority.

What information is registered when you use our webpages?

Web analysis

When you visit our website, we use a tool called Google Analytics to analyse your use of the website. The purpose of this is to develop statistics that we use to improve and develop the information provided on the website. Examples of what the statistics can indicate include how many people have visited various pages, how long the visit lasts, which websites the users come from, which browsers are used and which search words are entered.

The information is processed in anonymised and aggregated form. Anonymised means that we cannot trace the information we collect back to the individual user.

The basis for processing this information is Article 6 (1) (f) of the General Data Protection Regulation, which allows us to process information that is necessary for the purposes of a legitimate interest that carries more weight than consideration for the individual’s privacy. The legitimate interest is to improve our services on npd.no.

Cookies

Cookies are small text files that are placed on your computer when you download a website. The NPD uses cookies to ensure that various services on the website function properly. You can read more about the various cookies we use below.

The basis for this is Article 6 (1) (f) of the General Data Protection Regulation, which allows us to process information that is necessary for the purposes of a legitimate interest that carries more weight than consideration for the individual’s privacy. The legitimate interest is to ensure that services on the website function.

Storing of information and processing of information from cookies is not permitted unless the user of the website has both been informed about and has granted consent for such processing. The user must be informed about and approve which information will be processed, the purpose of the processing and who will process the information, cf. Section 2-7b of the Electronic Communications Act. This is done in the user’s browser.

Search engine

The Norwegian Petroleum Directorate stores information about which search words users make use of in the search tool in SharePoint. The purpose of the storage is to improve the information services we offer. The usage pattern for searches is only retained in Google Analytics, and the information is only stored in aggregated form.

The basis for processing this information is Article 6 (1) (f) of the General Data Protection Regulation, which allows us to process information that is necessary for the purposes of a legitimate interest that carries more weight than consideration for the individual’s privacy. The legitimate interest is to help our services on npd.no function.

What is registered when you contact us?

Telephone

When you call us, your telephone number will be stored in our telephone exchange along with information about when you called and how long the call lasted. This log is necessary for administration and operation of the system. Employees also have an overview of the most recent calls on their telephones. If a telephone call relates to a specific issue, a memo may be written and logged in a journal after the call. There is no other systematic registration of phone calls where the caller can be identified.

The basis for processing this information is Article 6 (1) (f) of the General Data Protection Regulation, which allows us to process information that is necessary for the purposes of a legitimate interest that carries more weight than consideration for the individual’s privacy. The legitimate interest is to manage and operate the telephone system.

E-mail

We use TLS encryption to secure our e-mail communication. Most webmail services support this, and your e-mail communication with us will thus be secure. Nevertheless, we ask that you do not send sensitive personal information or information that should be protected via e-mail, as we cannot guarantee that your e-mail provider supports TLS.

We scan all incoming and outgoing e-mail for viruses and malware.

The basis for processing this information is Article 6 (1) (f) of the General Data Protection Regulation, which allows us to process information that is necessary for the purposes of a legitimate interest that carries more weight than consideration for the individual’s privacy. The legitimate interest is to secure the NPD’s ICT infrastructure.

Visitors to our offices

Visitors to the Norwegian Petroleum Directorate must register in the reception. The visitor does this himself. The visitor’s name and company are printed on a visitor’s badge which the visitor must wear in plain sight while in the building. The badge is returned to the reception when the visit ends.

The basis for processing this information is Article 6 (1) (f) of the General Data Protection Regulation, which allows us to process information that is necessary for the purposes of a legitimate interest that carries more weight than consideration for the individual’s privacy. The legitimate interest is to secure access to the NPD’s offices.

Camera surveillance

Camera surveillance is established in the NPD’s offices. The system was set up as part of the effort to prevent undesirable or unintentional incidents inside the NPD’s part of the building. Cameras monitors movements in the transition from outer to inner zone, and in certain corridors outside working hours.

No data is recorded regarding the persons.

The basis for processing this information is Article 6 (1) (f) of the General Data Protection Regulation, which allows us to process information that is necessary for the purposes of a legitimate interest that carries more weight than consideration for the individual’s privacy. The legitimate interest is to secure access to the NPD’s offices.

Processing information when you contact us

Inquiries to the Norwegian Petroleum Directorate

When you contact us, we process information in order to respond to your inquiry. We store information that is necessary in order to answer your query. If you call us, we will store your telephone number and the time of the call. If you contact us by e-mail, we will store your inquiry, our reply and your e-mail address.

The information is retained for two years after the matter is closed. If the matter is subject to a recordkeeping obligation, the information will be retained for 25 years.

The basis for processing this information is Article 6 (1) (e) of the General Data Protection Regulation, which allows us to process information that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. If your inquiry contains certain categories of personal information, the basis for processing this information is Article 9 (2) (g) of the General Data Protection Regulation.

Subscribing to our newsletter

The Norwegian Petroleum Directorate sends out newsletters via e-mail to those who are interested.

In order for us to send you newsletters by e-mail, you must register your e-mail address. The e-mail address will only be used to send out newsletters.

The e-mail address is retained in a separate database, is not shared with others and is deleted when you unsubscribe from the newsletter. You can unsubscribe by clicking on the appropriate link in the newsletter, or by contacting us.

The basis for processing your e-mail address in connection with our newsletter is Article 6 (1) (a) of the General Data Protection Regulation, i.e. consent.

Ordering publications

You can order publications from the NPD on the website. The purpose of processing personal information is to be able to send you the publication, and we will then process information about the enterprise, including e-mail address, as well as name and e-mail address of contact persons.

Personal information that we obtain in connection with ordering publications will not be used for any other purpose than completing the order. After the order is sent, all information, except for number and enterprise will be deleted. This information will be used to prepare statistics.

The basis for processing this information is Article 6 (1) (b) of the General Data Protection Regulation, and this processing is necessary for the performance of a contract to which the data subject is party.

Post journal and access

The NPD keeps a systematic and continuous overview of all incoming and outgoing case documents. The journal is available on ‘eInnsyn’ (digital public records portal). The journal contains information about sender, recipient and title of the case document. First names are redacted from the journal when the entry is more than one year old.

The basis for processing this information is Article 6 (1) (c) of the General Data Protection Regulation, and this processing is necessary for compliance with a legal obligation, cf. Section 6 of the Freedom of Information Regulations.

Requests for access via eInnsyn are archived. All demands for access from eInnsyn are registered and signed for on a separate form. The form is logged in the journal at year-end.

For enterprises

Supervision

When the NPD conducts supervision, we process information so that we can carry out our statutory tasks. This includes information about the contact person in the enterprise, information about other employees and other information that is necessary to process the case.

The information is retained for as long as the case is ongoing, and if the case is subject to a recordkeeping obligation, the information will be retained for 25 years.

The basis for processing this information is Article 6 (1) (e) of the General Data Protection Regulation, which allows us to process information that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. If your inquiry contains special categories of personal information, the basis for our processing is Article 9 (2) (g) of the General Data Protection Regulation.

Information about employees and job applicants

Employees

The NPD processes information about employees and for administration of wages and working conditions. Necessary information is registered for disbursement of wages, such as basic data, wage level, time recording, tax rate, tax municipality and trade union affiliation. Other information about employees is linked to the individual’s work instructions and organisation of the individual’s work.

The basis for processing this information is Article 6 (1) (b) of the General Data Protection Regulation, and this processing is necessary for the performance of a contract to which the data subject is party.

Information is also registered in connection with key administration of entries and exits, and information related to access control in the IT system. This information is obtained from the employees themselves. The information is only surrendered in connection with payment of wages and other statutory disclosures. Routines for deleting personal information follow the Accounting Act and the Archives Act. Information regarding name, position and work area is considered to be public information, which can be published on our website.

All former and current employees have an employee file in our archives. Among other things, the job application is filed/retained here. Employee files shall be retained (that means that the job application is not deleted or destroyed). Personnel files are reviewed at the end of the employment relationship. Personnel files shall be delivered to the National Archival Services of Norway. Access is restricted to official needs.

Job applicants

If you apply for a job with the Norwegian Petroleum Directorate, we need to process information about you in order to evaluate your application.

The basis for processing this information is Article 6 (1) (b) of the General Data Protection Regulation –, and this processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. If your application contains special categories of personal information, the basis for our processing is Article 9 (2) (b) and (h) of the General Data Protection Regulation.

All job applications are recorded in the NPD’s post journal. These are retained in our electronic archives for approximately one year, before they are destroyed. All other documents, such as lists of applicants and recommendations, as well as all job applications at director level, are retained.

Information security and data processors in the Norwegian Petroleum Directorate

Logging

The NPD has basic security logs in the technical systems. The employees’ use of the technical system is recorded here, and the NPD has a dedicated procedure for what is to be logged.

The basis for processing this information is Article 6 (1) (f) of the General Data Protection Regulation, which allows us to process information that is necessary for the purposes of a legitimate interest that carries more weight than consideration for the individual’s privacy. The legitimate interest is to secure the NPD’s IT infrastructure.

The Norwegian Petroleum Directorate’s use of data processors

The NPD currently has an ICT operations model in which we operate large parts of our systems ourselves, but where we have also turned over operation of some systems to external parties. In cases where we operate ourselves, we also use external consultants.

We have a local server farm with a virtual server environment that we operate ourselves, with the assistance of external consultants (Evry, Atea and DatabaseForum).

For the wages and time recording system, we use services from the Norwegian Government Agency for Financial Management (DFØ) which run on their servers.

The NPD’s website is hosted in-house. The website is also operated in-house, with assistance from Bouvet. Our technical/archive system is ePhorte.


17.01.2019