The registry activity is largely centred around keeping an overview of who has committed to what. Transparency and overview prevents financial crime. Reliable and relevant information provides financial safety. In connection with the management of our tasks, we register personal data.
This is how we process personal data
All information related to you as an individual is personal data. All documents being submitted to and from the Brønnøysund Register Centre, will be scanned and saved in our case processing system or in the electronic arhive system Public 360. Certain information is subject to registration in a register, such as information in notifications. Other types of information may be attachments to notifications, complaints or other types of inquiries. In all cases, you will be able to find personal information in the documents.
The vast majority of the information with us is registered directly in accordance with law, as the various special laws regulate each individual register. The basis for processing this is Article 6, number 1(e) of the General Data Protection Regulation GDPR), which allows us to process information necessary to exercise public authority. If your inquiry contains special categories of personal data, the basis for our case processing is Article 9, number 2 (g) of the GDPR. Special categories of personal data are information which pursuant to law requires more than others to be processed, such as information about religious affiliations or political opinion.
Personal data processed in the registers are first of all the name, address and national identity number in connection to roles, rights or obligations a person has. We also record information about our customers when they order information and use paid services. The information this applies to is mainly name, address, e-mail address and account number. In certain cases, the national ID number will be used as an identitier, if necessary.
It is essential to use the national identity number to make sure that we register the correct person, and thus the quality of the information. We collect information about, among other things, name and address from the National Population Register (NPR). If there is no correspondence between, for example, the address that is reported and what appears from the NPR, we register the information from the NPR. We do not provide information about the national ID number, as this is not public information.
In most cases, the registration is based upon online submission and processing of the notification. It is the reported information that will be processed. As part of the control of the data, we will in certain cases obtain necessary information from other public enterprises or other sources, such as the licence register of the Financial Supervisory Authority of accountants and auditors, the Tax Administration and Supervisory Council for Legal Practice.
Our decisions are not only based upon automated processing. We do not prepare individual profiles based on individual data we collect.
Personal information being registered, will exceptionally be used for test purposes, when there is a need to elaborate or make changes in our systems and services. It is only relevant to use individual data when the use of synthetic data is not suitable, or the use of such data is disproportionally resource-draining. Under these circumstances, we carry out measures to preserve information security and the registered privacy.
We need to secure our systems, offices and premises, and we therefore use camera surveillance. This will prevent and reveal burglary in our premises. We save the recordings seven days before they are deleted.
Inquries to us by telephone, e-mail or post
We use the Phonero telephone system to handle telephone inquiries, and we retain names, addresses and telephone numbers that are retrieved from the phone number information. If the user has called previously during the last three months, this will also appear. The personal data that is saved in the telephone system, and which is necessary to manage and operate this, we keep for a short period of time. Complete log will be deleted after one year. If there is a need for personal information for statistics, these are anonymised.
When a user contacts us by e-mail, we retain the e-mail address and personal data contained in received e-mails. We save this information for one month in order to handle further dialogue with the user. When a user contacts the Business Guidance, by telephone or through the contact form at Altinn, we preserve the telephone number or e-mail address if we need to contact the user again. We also retain postal codes for statistical purposes, but these are anonymised. Information about the user will be saved for one month, so that we may continue the dialogue with the user. Then we anonymise the information.
The basis for the processing is Article 6, number 1 (f) of the GDPR. It allows us to process information that is necessary to safeguard an interest that outweights the privacy of the individual.
Our employees use e-mail both internally and externally, as part of the daily work to managing our registers. The individual employee is responsible for deleting e-mails in their own e-mail account, as they will no longer to be saved. When a co-worker quits, the e-mail account will be deleted.
Please note that e-mail is basically unencrypted. Therefore, you should not submit confidential, sensitive or other confidential information by e-mail. We have internal guidelines for what information we are not submitting by e-mail, this applies, for instance, to national ID number.
Documents that are regarded case documents, as they are a part of the case processing, and because they funktion as documentation, are covered by the main rules for document publicity, record keeping and archiving. This means that e-mails that are considered case documents, must be recorded. The same applies to case information received through telephone inquiries. These are recorded in the case processing system of the relevant register, or in the archive system Public 360. We use this system for electronic archiving and processing of documents. Incoming and outgoing mail that is not handled in a case processing system for the individual register, will be processed in Public 360. The system is provided by Tieto, is Noark 5-approved, and meets the strictest security certifications.
The basis for processing this is Article 6, number 1 (e) of the GDPR, which allows us to process information that is necessary for the exercise of public authority. If your inquiry contains special categories of personal data, the basis for our processing is Article 9, number 2 (g) of the GDPR. Special categories of personal data are information that, according to law, requires more than others to process, such as information about religious affilation or political opinion.
Responsibility for the personal data
Our director is responsible for all processing of personal data with us. The day-to-day responsibility to meet our obligations is assigned to the head of the relevant register and the electronic solution where the personal data is registered.
Securing of information
We have a socially critical duty and objects worthy of protection. This makes high demands on safety. We have established a management system for information security that applies to all our activity in line with ISO 27001.
Access to the personal data in our systems is limited and governed through access controls based on official needs. All our employees have confidentiality in accordance with the rules in the Public Administration Act.
Rights for the data subjects
As registered in our registers, you will have rights that follow the legislation for the relevant register, or subject area. In addition, you will have rights according to the legislation that applies in general. We are an administrative body, and our activities are regulated by the Public Administration Act with regulations. The law regulates, among other things, case processing, the right of appeal, the duty of confidentiality and party access.
The Personal Data Act and GDPR stipulate, among other things, terms for processing personal data and rights for the data subjects. Below is general information about rights for you who are registered. We point out that the regulations also contain a number of exceptions to these rights, which are not reported here. If you wish to exercise your rights, please contact us. We will respond to your request free of charge as soon as possible, and no later than within one month. Here you will find our contact information.
Information about how we process your personal data
As data subject, you have the right to access information about what personal data we process, who is the data controller, the purpose of the processing, the legal basis, which source the information is sprung out of, any recipients of information, storage time and your rights. Mainly, we process personal information that is reported to us in connection with registration in our registers. In most cases, the various special laws specify what information we must register and how it must be processed. We have provided general information about this in this privacy statement. You can also request more thourough information by contacting us. After the information has been registered in our registers, we normally send out a confirmation showing the information that we have registered.
Access to personal information
When you are registered with us, you have the right to request access to the personal data that is registered about you, and more in-depth information about how this is processed. The special laws stipulate that most of the information in our registers is publicly available to everyone. In addition, the Freedom of Information Act usually provides everyone the right to claim access into documents that have been sent in and out in connection with the registration of information. As a public agency we are obliged to make our public records available on the internet. Our inbound and outbound case documents have been made searchable on the internet through the publishing service elnnsyn. Here you search for information from our public journal and request access. It is also possible to apply for a personal name, but only for the first twelve months after the publication date. Exceptions from the right of access follow from various laws and regulations, including the Freedom of Information Act’s rules about confidentiality. As a party to a case, you have the right to access the case documents pursuant to the Freedom of Information Act.
Correction of errors
You have the right to have incorrect information about you corrected. This is to be done without undue delay. You may also request that we add information, if it is incomplete.
Correction of information should usually be made by the one with reporting obligation that sends us a notification about this. Who is required to report and how the notification is to be prepared, follows from the legislation for the relevant register.
If we discover that an information is incomplete or incorrect, and this is due to our case processing, we will on our own initiative correct the error.
We receive updates of information from the National Population Register. If you discover errors in information about, for example, name or address, you must contact the National Population Register in order to have the error corrected.
If you discover that information is incorrect or incomplete, we recommend that you contact us for information about how the current information can be corrected.
Archiving and deletion
In most cases, deletion from our registers takes place based on a submission of a change or deletion by the notifier. It is the law for the individual registers that determines who is obliged to report. For some of the registers, we may delete information without receiving a notification.
As a public body we are subject to the rules in the Archives Act with regulations, and we file documents acoording to further provisions in this Act. The law regulates, among other things, the right to correct and delete archive materials. This means that we in many cases have to save registered information in historical archives, even after they have been officially deleted from the registers. This means that deletion from registeres in most cases does not imply a physical deletion, but that the information is removed from the official register, and transferred to historical archives.
Right to object the processing
Some times you may have the right to object to the processing of your personal data. This does not apply if we process your personal data due to the legislation, or if it is necessary in order to perform an agreement you have with us. If you believe that we do not have the right to process personal information about you, please contact us.
Complaint to the Data Protection Authority (DPA)
If you experience something that you mean is a violation of the privacy regulations, you have the right to complain to the DPA. Please read more about this at the Data Protection Authority.
Do you have questions about the privacy statement?