Cookies and Privacy

Evidi Privacy Statement

1. Processed personal information

   Evidi does not collect personal information such as birthdates, social security numbers, or details of personal payment cards.

2. Examples of collected information

   - Company name

   - Contact person

   - Company address/invoice address 

   - Phone number and email address

   - Information about your use of the website, including visited subpages, browser settings, and IP address

3. How information is collected

   Evidi gathers information through forms on our websites. Providing this information is voluntary. If you choose not to provide personal information, we may be unable to grant you access, contact you, or provide the requested information.

4. Sample forms

   - Contact form

   - Meeting booking

   - Form for downloading whitepapers, e-books, etc.

   - Registration for webinars, courses, and conferences

   - Subscription to receive newsletters or blogs via email

5. Purpose of collected information

   - To send relevant information

   - To make contact and offer our products and services

   - To provide excellent customer service 

   We create profiles based on the information collected to offer you the most relevant products and provide excellent customer service. These profiles are solely based on information you voluntarily provide; we do not obtain information for this purpose from third parties.

6. How information Is stored

   Information collected through forms on our websites is stored in our CRM system (Microsoft Dynamics 365).

7. How information Is deleted

   Information is deleted upon request by contacting us.

8. Disclosure of information to third parties

   Personal information is not shared with external third parties, but Evidi may use subcontractors to deliver all or parts of the website. Such subcontractors may process personal information on behalf of Evidi.

9. Rights

   As a user of our websites, you have the right to demand insight into the personal information we process about you and how it is processed. You can also request correction, deletion, and restrictions in the processing of personal information according to privacy laws.

   Where the processing of personal information is based on consent, you may withdraw consent at any time.

   If you believe that Evidi has not complied with your rights under privacy laws, you have the right to complain to the relevant supervisory authority. This can be done by filing a complaint with the Norwegian Data Protection Authority; contact information is available at www.datatilsynet.no.

10. Webinars and sharing of recordings

    Evidi hosts webinars via Teams, some of which are conducted as online seminars. By participating in our webinars, you consent to recordings being shared on Evidi's website, and that an email with recordings may be sent to the webinar participants. Depending on the duration, participant names may be partially or fully visible in the recording.

    If you prefer that your name not be displayed in the shared recording, please contact us through our contact form.

11. Recording and transcription in Teams meetings

    Teams meetings can be recorded and transcribed. For the Privacy Statement related to recording and transcription in a Teams meeting, please refer to Microsoft's Privacy Statement/Privacy Policy for Microsoft products.
    

1. Adhere to the General Data Protection Regulation (GDPR)

   When implementing tools for analysis and tracking on your website, be prepared to comply with the regulations of the General Data Protection Regulation (GDPR). This applies even if you are unaware of the names or identities of those visiting your website. Analytical tools collect a significant amount of information about visitors, which, either alone or in combination, may constitute personal data.

   An IP address usually qualifies as personal information. Cookie IDs, location data, or detailed information about users' devices can also be considered personal data. Often, this information is combined with data about visitors' behaviour on the website, and this, too, is classified as personal data.

   Learn more about personal data from Datatilsynet.

2. Minimize Data Collection

   It is not permissible to collect more personal information than necessary. If your analytical tool currently collects information that you do not use, it violates the law. Choose an analytical tool that provides only the information you need and find useful.

   Additionally, it is not permissible to store personal information longer than necessary.

   Learn more about data minimization, storage limitations, and other privacy principles from Datatilsynet.

3. Do not rely on the cookie banner to save you

   There are different rules for the placement of cookies and the processing of personal information. A cookie banner that only meets the minimum requirements of the Norwegian cookie regulations does not give you the right to use visitors' personal information under the General Data Protection Regulation. In this case, you must have a so-called legal basis for processing personal information. That means it is not a free pass to process users' personal information.

   Learn more about the legal bases for processing from Datatilsynet.

   If you base analysis and tracking on consent, remember that the General Data Protection Regulation imposes many requirements for valid consent. For example, an active action is required (such as pressing a button or the like). It must be as easy to decline as it is to accept, and users who do not consent must not face negative consequences. Users must understand what they are potentially consenting to, and it must be possible to withdraw consent. If the website intends to use personal information for multiple purposes, it should also be possible to consent to each purpose separately

   Learn more about consent from Datatilsynet.

4. Prevent unauthorized use of personal information from the website

   Often, you must carefully read the terms of service to understand what kind of tools you are dealing with. Some tools only process personal information on behalf of the business, as determined by the website owner. Other tools reserve the right to independently control personal information or use it for their own purposes.

   Using tools in the latter situation requires careful consideration to ensure legality. In other words, there is a significant risk of making mistakes if you are not familiar with what you are doing. Our recommendation is, therefore, to choose tools that commit to processing personal information solely on your behalf and as you dictate.

5. Some websites require more caution than others

   Some personal information is afforded special protection under the General Data Protection Regulation. This may include details about someone's health, orientation, sexual relations, religion, ethnicity, political beliefs, or philosophical convictions – collectively termed «special categories of personal data». Due to their sensitive nature, there are stricter criteria for the lawful processing of such information.

   On certain websites, visitors' behaviour itself may reveal special categories of personal data. For instance, this could be the case for websites offering mental health services, selling medications, or targeting specific minorities. Our clear recommendation is that such websites avoid tracking and analytics tools that process personal information, as it takes little to violate the law in these instances.

   The Data Protection Authority is also concerned about the use of tracking tools on public websites.  A study conducted by the Technology Council (teknologiradet.no) revealed that many public websites employ tracking tools that are intrusive and/or allow third parties to use personal information for their own purposes. The study suggests that several public entities are not currently in compliance with the law. However, the public sector should set a good example. Furthermore, it is in society's interest that everyone feels confident in seeking essential information from public bodies without fear of surveillance and tracking.

6. Prevent the flow of personal information to non-secure countries

   Many tools have offices or subcontractors in countries outside the EU/EØS. This is something you should investigate before implementing the tool. In principle, it is not allowed to transfer personal data outside the EU/EØS. Remote access from a country outside the EU/EØS is considered a transfer.

   Check the terms of service and look for the following:
   - Can data be sent to or processed in a country outside the EU/EØS?
   - Does the tool offer remote support from a country outside the EU/EØS?
   - Does the tool reserve the right to disclose data to authorities in a country outside the EU/EØS 

   If yes: If the relevant country is on the list of countries and regions with an adequate level of protection, it is okay to use the tool. Check the overview here. If the country in question is the USA, check if the business is listed as an approved entity.

   If, however, the relevant country is not on the list of countries and regions with an adequate level of protection, the situation is considerably more complicated. It requires thorough assessments and possibly technical measures to use the solution legally in such cases. If you are willing to embark on this effort, Datatilsynet has created a guide explaining what the rules require. If not, you should look for another tool.

7. Be transparent

   Visitors have the right to information about how you process their personal data. Ensure that you provide honest and easily understandable information about this. If you find it uncomfortable to disclose what you do with visitors' data, it is a sign that you might need to reconsider your practices
   

   Read more about what information you must provide.

8. Respect the rights of the visitors

   When processing the personal information of visitors, they have various rights. For instance, they have the right to access their own data, and in some cases, they can also request deletion. You must be able to handle such requests within one month. It may be necessary for the individuals to provide additional information to enable you to locate their data in the tool.
   

   Learn more about your obligation to facilitate the visitors in exercising their rights.

   We have also created an overview page detailing individuals' rights.

9. Educate yourself - and don't hesitate to ask for help

   There are several obligations in the General Data Protection Regulation (GDPR) that are not mentioned here – for example, regarding the purposes for which you can use personal data or information security and incident handling.

   We have created a comprehensive page outlining all the duties of the business under GDPR, which can be helpful in your work.

   If you find the guidelines challenging to comprehend, you can also call Datatilsynets guidance service.