Privacy Notice

PRIVACY NOTICE FOR
THE NORTH ALLIANCE

The North Alliance will process personal data as part of our business. We are committed to processing personal data safely, reassuringly, and trustworthy.

Our processing as the controller of personal data is based on our activities and the purpose of our business. Below is information about the personal data we process about you, the legal basis for the processing, the purpose of the processing, how long we process the personal data, etc.

We may also process personal data in other ways, as mentioned below, but we will inform you of the personal data that applies in ways other than through this notice.

We may also act as a data processor for our customers in connection with our services, which means our customers are responsible for processing it. See more about this below.

If you have questions about the processing of your personal data, you can contact us. See our contact details below, or you may contact us at privacy@thenorthalliance.com.

1.  RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

The North Alliance is responsible for processing the personal data described here, i.e., deciding why and how the personal data is processed (the data controller). However, this does not apply where we act as a data processor, i.e., processing personal data on behalf of our customers; see Section 5.

Data controllers for any data collected by NoA Consulting are:

• The North Alliance Consulting AB, 556964-9675, Tulegatan 13, 113 53 Stockholm, Sweden

• NoA Consulting AS, 922576505, Nedre Vollgate 11, 0158 Oslo, Norway

2. WHY AND WHAT KIND OF PERSONAL DATA DO WE COLLECT AND USE

We collect and use your personal data for different purposes depending on who you are and how we contact you.

All processing of personal data will be in accordance with this Privacy Notice and the privacy regulations in force at any given time, including the local privacy regulation and the General Data Protection Regulation (GDPR).

Personal data is any information about a physical person that can be identified directly or indirectly (the latter are called “data subjects”).

Processing personal data is any activity performed with personal data, for example, collection, recording, organising, structuring, storing, adapting, altering, transmitting, or deleting.

If we are a data processor, i.e., we process personal data on behalf of others (the data controller). You may request information about the processing from the data controller. You can still contact us about processing your personal data, and we will refer you to the data controller. See also below about our role as a data processor.

2.1 Communication and contact

We process personal data about those who contact us to answer and document the communication and contact others not covered by the processing elsewhere in the Privacy Notice, which applies to all forms of communication, physical and digital, written and oral.

In such cases, we process the name, telephone number, email address and any personal data that may result from the communication, including history/logs about the inquiry.

The processing is based on what we consider a necessary legitimate interest related to the above (see GDPR Article 6(1(f)). Our legitimate interest is to contact others as part of our business, document our business, reply to those who contact us, and register such contacts. We have assessed that this is necessary to handle inquiries we receive, and that the data subjects’ privacy does not override these interests.

Providing us with personal data is voluntary, but it will be necessary to answer inquiries.

We process the personal data until we expect that the contract will not be further followed up, typically for three years.

2.2 Email and other business solutions

We use email as a communication solution and other business solutions, such as document storage, cooperation solutions, etc., that will contain personal data. The processing is based on that we consider having a necessary legitimate interest in processing personal data via email (see GDPR Article 6(1(f)) to have a work tool and communication solution and that the data subjects’ privacy does not override over these interests. Personal data processing depends on the purpose of the email and what is included in it. Emails and other information are deleted when no longer needed, and we have measures to ensure regular deletion.

2.3 Information and Marketing

If you request information or subscribe to our newsletter, we will send information about our products and services, benefits from partners, newsletters, and other information and marketing. We will then process your email address and name.

We process personal data to inform you about services and products that may interest you based on your consent (GDPR Article 6(1)(a)). You can withdraw your consent at any time by using any unsubscribe options in the communications you receive or by contacting us to opt out of direct marketing and/or profiling under GDPR Article 21(2).

We only process personal data, such as the email address and name, to send the newsletter, making the inquiry more personal and ensuring the communication reaches the right person. The email address is not used for any other purposes.

The processing will continue until you have received the requested information or withdrawn your consent. Thereafter, your personal data will be deleted.

2.4 Information on services

We may also send out information about our services and products that do not contain marketing. This will be done regardless of whether you have consented. Personal data will then be processed  based on our legitimate interest in informing our users and contacts about our services (GDPR Article 6(1(f)). Alternatively, we may process the information based on your consent (GDPR Article 6(1)(a)). The purpose of the processing is then to keep you updated about products and services you receive and follow up on purchases of products or services. The processing of personal data will occur as long as our services are received.

2.5 Business customers, suppliers, partners, etc.

We process personal data about contact persons of existing and potential business customers, suppliers, and other partners to manage our relationships with suppliers and others, prepare, implement, and document services, and evaluate the use of services. In these cases, we will process names, contact information, company names, and information related to the contact with the company in which the person in question works.

The processing of personal data is based on the necessary processing and legitimate interest in managing our relationships with our customers, partners, and suppliers.

The processing of personal data is based on what we consider a necessary legitimate interest (GDPR Article 6(1(f)) to manage the relationship with our customers, partners, and suppliers, and the data subject’s privacy does not override our interest.

We also store and disclose information when we have a legal obligation, such as under accounting and tax legislation.

We may store information for as long as necessary to document services-related matters.

In many cases, we will need to obtain personal data to enter into agreements with customers and suppliers and, among other things, to document that an agreement has been entered into. We cannot enter into agreements if we do not receive the information we need.

It is voluntary for contact persons to provide us with personal data. If we collect personal data from others, it will mainly apply to contact information (including name, address, telephone number and email address), position, function, employer, and any competence and references where relevant. The source for such information will be the contact person, employer, or something else, such as the employer’s website.

We store personal data until the relationship with the customer, supplier, or partner ceases or until the contact person ceases to be the contact person, with the abovementioned exceptions.

2.6 Recruitment

CVs, applications, certificates, and references are processed when recruiting for new positions with us. If the processing takes place through a recruitment solution or on the basis that it is necessary and within our legitimate interest to recruit new employees, the processing in this solution may be based on your consent or on fulfilling an agreement with the solution provider that you agreed to when registering in the solution.

We may use recruitment services to manage applications, which will be our data processor. If you register with the job search service with your profile, the service will be a data controller responsible for processing, and reference is made to its privacy notice about the processing of personal data in the service. The processing of personal data is based on your consent in the recruitment service (GDPR Article 6(1)(a)), obtained or the basis set forth below.

If you submit a general (“open”) application, we will store and process it as long as there is a potential opening or until you withdraw it. We will not store an application for more than two years.  

The basis for processing personal data when recruiting is that it is necessary to assess potential job seekers before entering into an employment agreement (GDPR Article 6(1)(b)).

If assessments are made in this regard, such as  examining when searching for background, etc., personal data is processed based on our necessary legitimate interest in ensuring that the correct candidate for the position (GDPR Article 6(1(f)). For the latter, we have considered that the individual data subject’s privacy does not override our legitimate interest in recruiting new employees. We recommend that you not enter special categories of personal data, such as health, religion, political opinion, union membership, etc., in your application.

If we process special categories of personal data, we will do so based on your specific consent (GDPR Article 9(2)(a)). Consent can be withdrawn at any time, which will not affect the lawfulness of processing personal data before the consent was withdrawn.

If you have not agreed to further storage, information on the service will be deleted as soon as recruitment is done.

2.7 Events etc.

For event participants, contact information will be registered and processed, along with which event the person in question is to attend, so that the person in question can identify as registered and the necessary communication can be carried out.

For event participants, contact information will be registered and processed, as well as the event the person attended, so that the person can be identified as a participant and necessary communication and possible invoicing of participation fee can be carried out. Processing of personal data will be based on fulfilling an agreement with the participant (GDPR Article 6(1)(b)) or if the participants represent a company on the basis that we have assessed that we have a necessary legitimate interest (GDPR Article 6(1(f)) by holding events as part of activities. In the latter case, we have considered that our legitimate interest overrides the data subject’s privacy.

If food and/or drinks are served, we may obtain information about food preferences, which can show health and/or religion. This information will only be processed to serve food and/or drinks and deleted immediately after the event. In such cases, the personal data will be processed based on consent.

2.8 Images and film

Images and film may be recorded and used as part of our business. This can include use on websites, in marketing materials, etc. To the extent that images/films are made public, i.e., accessible to multiple persons, consent will be requested for such disclosure if the individuals in question constitute the main subject. If the individuals depicted/filmed are not the primary focus, such as situational photos, images of an audience, etc., no consent will be obtained.

The processing of personal data related to images/films will be based on our legitimate interest in using images/film to show and market our activities (GDPR Article 6(1)(f)), as we consider that this interest outweighs any potential consequences for those depicted. We will only use images and film where it is clear to those depicted that recordings are taking place.

Personal data related to images and films will be processed for as long as necessary to use them. This duration will depend on the purpose of the images/films and may vary accordingly. We will review images/films regularly to determine whether individual videos/films should be deleted or retained.

2.9 Social media

We have contact with stakeholders and others through social media. We have established profiles on various social media platforms, where we are responsible for processing personal data in this connection with the respective platforms. Personal data will be processed through our social media profiles if you publish posts, comment on posts, or interact with our profiles in other ways, such as liking, following, or sharing content. Our purpose for processing personal data through social media is to have contact with you who wish to communicate with us or interact with our profiles in other ways, see also about communication under section 2.2 above.

In this context, your name and link to other information you post associated with your name/account on the respective social media platforms are processed. Additionally, everything you share through posts and comments on our social media profiles and the fact that you have interacted with our profiles is processed. What you share on our social media profiles is up to you and voluntary.

 We ask you not to share personal data in posts or comments on our profiles, especially not to share personal data about others, e.g., by tagging or mentioning people.

We process personal data on social media because we believe we have a legitimate interest in communicating with the outside world through social media and want to process personal data in this context (GDPR Article 6(1)(f)). We have considered it so that we must communicate with the outside world and handle inquiries we receive, and that the data subject’s privacy does not come before these interests.

The data will be processed as long as postings/comments are available on social media, and you can delete this at any time.

2.10 Use of websites, cookies etc.

We will use cookies or similar technology to collect information when you visit or interact with our website. A cookie is a text file or information that, upon visiting or interacting with a website, is placed in your browser’s internal memory or a number/series of numbers that can identify your browser or device using the websites or other similar technology such as pixels (jointly called cookies below).

We use the information collected to improve the customer experience on websites and services, to adapt and develop the website, and to offer functionality in the services. We also use the information to provide visitors with recommendations and service adjustments that are as relevant to you as possible. This will be given based on visitors’ behaviour, e.g., on services used, links clicked on, or information read, and on the behaviour of other users with similar usage patterns. In addition, cookies are used to provide customised marketing on our websites, in advertising networks, and on social media. As far as practically possible, we will be using any option available to anonymize this information.

The cookies used can be viewed in the box on the websites the first time you visit or by clicking on the circle at the bottom left of the pages, or at the link to the Cookie Policy or Cookie Settings pages where you can also change your cookie preferences.

We will process the personal data mentioned above based on your consent (GDPR Article 6(1)(a)). The information will be processed until you withdraw your consent, which may be done by changing the cookie preferences in the cookie consent box.

Necessary cookies are processed based on our necessary legitimate interest (GDPR Article 6(1(f)) to adapt the website to our users and we consider that the data subject’s privacy does not override this interest.

However, we safeguard the privacy of website visitors by only using the information for statistics where individuals are not identified. The information will be processed as long as necessary for the abovementioned purposes.

3. PROCESSING BASED ON CONSENT

If we process personal data based on your consent (see above), you can withdraw your consent at any time without affecting the lawfulness of processing before its withdrawal. Contact us if you want to withdraw your consent. Note that if you withdraw your consent, it may still be possible for us to continue processing all or part of the information if there is another basis for the processing.

4. RETENTION AND DELETION OF PERSONAL DATA

We keep and store personal data for as long as necessary for the purpose for which it was collected and delete it under regulations. The length of time we process the individual data types is included above under the specification of the different processes.

When we delete the information included above where the individual processes are discussed, or else the storage period is based on the following criteria:

• Whether we have a legal or contractual need to retain the information, as there may be claims directed against us

• Whether the information is necessary for our business

• Where the basis of processing is consent, when consent is withdrawn.

When we no longer have an ongoing legitimate need to process your personal data, it will be deleted or anonymised as quickly as possible in accordance with applicable law.

Instead of deleting the personal data, it may be relevant to anonymise it in some cases. Anonymisation removes all data that may identify or potentially identify data subjects (individual persons) from data sets.

This means, for example, that personal data that we process based on your consent will be deleted if you withdraw your consent. Personal data that we process in connection with sales or purchase agreements you have with us is deleted when the agreement is fulfilled. All obligations arising from the contractual relationship are fulfilled, such as legal obligations related to accounting, follow-up of customer-related complaints, etc. Personal data related to our fulfilment of legal obligations is deleted as soon as the legal obligations have been fulfilled, such as the obligation to keep accounts.

5. PROCESSING PERSONAL DATA AS PART OF SERVICES

Customers who use our services are data controllers for the personal data processed by using the services and are responsible for processing the personal data when using the services. We will then process personal data on behalf of the customer, who is the data processor. A data processor agreement has been entered between the customers and us to regulate our processing of personal data on behalf of the customers.

As our customers are responsible for the processing (the data controller), you must contact our customer to enforce your rights; see below.

This privacy notice also applies to processing personal data about our customers, disclosing and transferring personal data, and security/technical matters. Personal data is deleted depending on when our customers choose to delete it. We will never use information or information from our services without our customers’ instructions or approval.

6. DISCLOSURE OR TRANSFER OF PERSONAL DATA

We do not disclose or transfer personal data to others in cases other than those mentioned in this notice unless there is a legal basis for such disclosure/transfer. Examples of such a basis will typically be an agreement with or consent from the data subject or a legal basis that requires us to publish the information. The latter applies to public activities such as tax collection (if necessary), accounting/auditing, and other things we need in our business, such as a bank connection.

We will share and transfer personal data related to providing services to our customers, such as contact information on employees on our customers and other data related to joint assignments with other companies in our group. Such sharing is made by us as a data controller to the other company in our group, also as a data controller.

We use data processors to process personal data on our behalf. In such cases, we have entered into data processing agreements with the data processors to safeguard your rights and security for your personal data at all stages of the processing.

If it is required by law or there is a suspicion that a crime has been committed in connection with our services, personal data may be disclosed to public authorities, such as the police, in case of an investigation.

If personal data may be subject to transfer to another organisation in connection with a merger, financing, reorganisation or dissolution transaction of all or part of us, we will only do so if the parties involved have entered into an agreement where the collection, use and sharing of personal data is limited to the purposes of the transaction, including a provision as to whether or not the transaction will proceed, and the personal data shall only be used by the parties involved to complete and complete the transaction. If another company buys our business or assets, this company will have access to the personal data we collect and will assume the rights and obligations regarding your personal data as described in this privacy notice.

7. TRANSFER OF PERSONAL DATA TO RECIPIENTS IN COUNTRIES OUTSIDE THE EEA

It is an objective that all processing of personal data shall be carried out within the EEA, but we may use suppliers or process personal data outside the EEA. In such cases, transfer and processing outside the EEA will take place in countries approved by the EU Commission or under a valid legal basis for the transfer of personal data under GDPR Chapter V. If transfer to countries approved by the EU Commission does not take place, the transfer will only take place after guarantees set out in Article 46(2) of the GDPR. You can get information on the lawful basis used for the transfer if you contact us.

8. SECURITY OF PROCESSING

We prioritise the security of personal data in our business and will implement all required technical and organisational measures to secure your personal data. If possible, all processing will be encrypted and unavailable to anyone other than those needing personal data to perform their tasks (“need-to-know”).

We ensure that personal data is correct, accessible, and handled according to its degree of sensitivity. We also use various security technologies and information security procedures to protect your personal data from unauthorised access, use, or disclosure. Where necessary, risk assessments are carried out.

We have entered into data processor agreements with all our suppliers who process personal data, where they assume the same degree of security as we ensure in processing personal data.

We restrict access to personal data to staff or third parties who process it on our behalf. These parties are subject to a duty of confidentiality.

Routines have been established for handling breaches of information security and routines, and we will, if there are breaches that pose a risk to personal data, notify the supervisory authority  as soon as possible and no later than 72 hours after the breach is discovered. If the breach entails a high probability of the privacy of the data subjects affected by the breach, they will also be notified.

9. YOUR RIGHTS WHEN WE PROCESS PERSONAL DATA ABOUT YOU

Below is a description of your rights when we process your personal data. To exercise your rights, you must contact us, see contact information above, or otherwise, if it follows below.

We strive to respond to your inquiry as soon as possible and within one month. If it takes longer than one month, you will be notified.

In some cases, we will request you to confirm your identity or provide additional information before you can exercise your rights to make sure that we only give access to your personal data to you - and not someone who pretends to be you.

Your rights set forth below apply where we are responsible for processing them. If we are a data processor for our customers, and you use services from one of our customers, the customer is responsible for the processing of personal data (the data controller). You must then contact the one from whom you receive the services to exercise your rights related to processing your personal data. Your rights will then essentially be as described below.

9.1 Information

You have the right to information about the personal data we process about you. This policy provides information on the processing of personal data. You can also contact us if you want more information.

9.2 Access to Your Personal Data

You have the right to request access to the personal data we processed about you. Contact us if you want such access.

If you request it, you will also receive a copy of the personal data we process about you. We may ask you to specify which data you wish to receive a copy of to make the release easier for us. Upon providing a copy of your personal data, we may require you to identify yourself to ensure we do not disclose personal data to unauthorised persons. The information about you will be sent in digital form unless you request it to be transferred in another manner.

9.3 Correction and deletion

You can ask us to correct or delete personal data. We will, as far as possible, accommodate a request to delete personal data, but we cannot do this if the data is necessary for us.

9.4 Processing based on your consent

If we process personal data based on your consent, you can withdraw the consent at any time. The easiest way to withdraw your consent is as informed to you when you give your consent or to contact us.

9.5 Right to protest or restrict the processing

You have the right to have your processing restricted or stopped in certain cases, see further in GDPR Article 21.

9.6 The right to data portability

For personal data that you have provided to us, which is necessary to carry out an agreement with us, and which is processed automatically (i.e. not manually by us), you can request that the personal data be disclosed or transferred to another provider in a structured, commonly used and machine-readable format (data portability).

9.7 Automated processing, including profiling

There will be no automated processing, including profiling, based on your personal data that may have legal effects or significantly affect those to whom personal data applies. See GDPR Article 22(1) and (4).

9.8 Right to be notified

If a data breach occurs, i.e., a breach of personal data security that would pose a high risk to your privacy, we will notify you without undue delay.

10. COMPLAINTS

If you suspect that our processing of personal data is not in accordance with what we have described here or that we, in other ways, violate the privacy legislation. In that case, you can complain to the competent Data Protection Authority. However, we ask you to contact us so we can correct the matter immediately.

You will find information about your rights and how to contact the:

Norwegian Data Protection Authority: www.datatilsynet.no

Danish Data Protection Authority: www.datatilsynet.dk

Swedish Data Protection Authority: www.imy.se

Finnish Data Protection Authority: www.tietosuoja.fi

Polish Data Protection Authority: uodo.gov.pl

11. AMENDMENTS

Should our services or regulations on processing personal data change, the information you have provided here may be changed. We will inform you of these changes if we have your contact information. The updated privacy notice is readily available on our website.

Last updated: 17 February 2025