Overview of Privacy at SESAM

At SESAM we believe in being transparent. Our Privacy Policies will help you understand what information we collect and how we use it. The following Privacy Policies are customized for the different ways Personal Information is collected, based on legal basis and purposes.

Sesam.io AS (also referred to as “SESAM” or “We”), organization number 922 409 676, is an Integration Platform that uses a unique Datahub approach for collecting, connecting and sharing data.

To exercise your rights as a Data Subject, please use our Data Access Portal.

Our Privacy Policies were last updated September 2020.

SESAM Privacy Notice

What information we collect

SESAM will collect the “Required Contact Information” you provide voluntarily when you register with us for the seminar. The information comprises Personal Data, including name (first and last), email, cell phone, job title, and company/organization.

How we use the information about you

All data provided enable us to respond to requests and provide the services requested, including confirming access and to communicate details about the event hosted by SESAM.

Marketing

Referring to the questions asked on the website we would like to use your e-mail address or cell phone number to communicate with you. By ticking the boxes, you agree to that we will send additional information about our company and our services, including information about SESAM and upcoming events, and/or our GDPR product and GDPR compliance.

At any time, you have the right to stop us from contacting you for marketing purposes by withdrawing your consent in our Data Access Portal.

Sharing and disclosure

SESAM will only disclose information with third parties in cases where consent has been obtained. In case of disclosure, SESAM will ensure that the parties to whom disclosure is made, grants the users the same rights as those set forth herein with respect to the processing of Personal Data. This includes the right to be informed about the disclosure and of the data maintained about the user and the right to rectify incorrect or misleading information.

Transfers and Cross-border transfers

SESAM will not transfer Personal Data which is undergoing processing or is intended for processing to a third country or to an international organization, except when Cross-Border Data Transfers are made to adequate jurisdictions authorized by the Commission or if transfers are subject to appropriate safeguards. This may include Binding Corporate Rules, Model Clauses, Standard Data Protection Clauses, Approved Codes of Conduct, or Certifications.

Retention period

SESAM will keep Personal Data for as long as necessary to fulfil our contractual obligations towards you, however no longer than 60 days. Personal Data will be deleted or anonymized as soon as possible when the contractual obligation has ended, or by you withdrawing your consent, unless it must be stored in order to fulfil obligations in statutory law.

The existence of rights and the control of the information we collect

Subject to applicable law, you may request access to your Personal Data or object to the processing. You may also ask us to rectify, update or to have the information deleted, as appropriate. You also have the right to receive the Personal Data relating to you in a structured, commonly used and machine- readable format and have the right to transmit those data. For your protection, we may require proof of identity including proper verification and confirmation of your identity.

At any time, you are entitled to have your rights enforced. If you choose to exercise your rights as a Data Subject, please use our Data Access Portal.

The right to lodge compliant with a supervisory authority

You have the right to lodge a complaint with a supervisory authority if you consider that the processing of the Personal Data relating to you infringes your rights.

Change of the Privacy Notice

It may be necessary for us to make changes to this Privacy Notice. We reserve the right to amend or repeal this notice at any time by posting a revised Privacy Notice or a new document in its place. If such

revised or new notice includes a significant change to the way that Personal Data may be treated, SESAM will notify the user of the fact that its Privacy Notice has changed by sending an email to the address associated with the user.

We encourage you to periodically review this Privacy Notice to stay informed about our collection, processing and sharing of your Personal Data.

SESAM Privacy Policy

In this policy, we aim to demonstrate our commitment to protect our users ́ and/or visitors ́ privacy. The document comprises the processing of Personal Data provided to SESAM.

To exercise your rights as a Data Subject, please use our Data Access Portal.

Personal and other data collected

Through interactions with you as a user and/or a visitor, SESAM collects Personal Data about you.

This comprises information voluntarily given to us when you contact us, including first name, last name, your e-mail address and any additional content submitted while filling out the “Get in touch” form on the Sesam site or if you contact us by other means.

Retention

We may keep your Personal Data for a period of time which is consistent with the original purpose of collection. After expiry of the retention period of two years and/or the purpose is fulfilled, your Personal Data will be anonymized or deleted.

Sharing and disclosure

SESAM will only disclose information with third parties in cases where consent has been obtained. In case of disclosure, SESAM will ensure that the parties to whom disclosure is made, grants the users the same rights as those set forth herein with respect to the processing of Personal Data. This includes

the right to be informed about the disclosure and of the data maintained about the user and the right to rectify incorrect or misleading information.

Transfers and Cross-border transfers

SESAM will not transfer Personal Data which are undergoing processing or are intended for processing to a third country or to an international organization except when Cross-Border Data Transfers are made to adequate jurisdictions authorized by the Commission or if transfers are subject to appropriate safeguards. This may include Binding Corporate Rules, Model Clauses, Standard Data Protection Clauses, Approved Codes of Conduct, or Certifications.

Safeguards

We maintain appropriate organizational, technical and physical safeguards designed to protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, as well as all other forms of unlawful processing.

Your rights relating to your Personal Data

SESAM aims to provide transparency for the exercising of your rights. Based on your request to us, we will provide information on action taken without undue delay, and in any event within one month of the request.

To exercise your rights as a Data Subject, please use our Data Access Portal.

Right of access

You will have the right to access the Personal Data held by us and receive information regarding the processing of this data.

Right to rectification Personal Data

Upon your request, SESAM will ensure that inaccurate, incomplete or misleading data are rectified without undue delay.

Right to erasure

If the data is no longer necessary in relation to the purpose which it was collected, consent is withdrawn, the data has been unlawfully processed or have to be erased for compliance with a legal obligation, or you object and there are no overriding legitimate grounds for the processing, you have the right to obtain the erasure of the Personal Data without undue delay.

Right to restrict processing

You can request that the processing is restricted. SESAM must restrict the processing if the accuracy of the data is contested, the processing is unlawful, the data is no longer needed for the original purpose or the verification of overriding grounds is pending.

Right to data portability

You have the right to receive your Personal Data, which you have provided to SESAM, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller without hindrance.

Right to object

You have the right to object to any processing of Personal Data relating to you carried out on the basis of our legitimate interests.

Breach

In case of a Personal Data breach, which is likely pose a high risk to your rights and freedoms, SESAM will communicate the breach to you. The notice will be in clear and plain language. SESAM will notify you promptly, consistent with the needs of law enforcement and relevant regulations.

Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with supervisory authority if you consider that the processing of Personal Data relating to you infringes your rights.

Right to an effective judicial remedy against a supervisory authority

You also have the right to an effective judicial remedy against a legally binding decision of a supervisory authority, without prejudice to any other administrative or non-judicial remedy.

Jurisdiction and Choice of Law

Any dispute that may arise between the user and SESAM in connection with this Privacy Policy or SESAM ́s data processing activities shall be subject to, regulated by, and interpreted in accordance with, Norwegian Law. The user may request that the case is brought before a Norwegian court.

Change of the Privacy Policy

The Services and our business may change from time to time, hence it may be necessary for us to make changes to this Privacy Policy. We reserve the right to amend or repeal this policy at any time by posting a revised Privacy Policy or a new policy document in its place. If such revised or new policy includes a significant change to the way that Personal Data may be treated, SESAM will notify the users of the fact that its privacy policy has changed by sending an email to the address associated with the user.

We encourage you to periodically review this Privacy Policy to stay informed about our collection, processing and sharing of your Personal Data.

Service Privacy Policy

In this policy, we aim to demonstrate our commitment to protect our Customers ́ privacy. The document comprises the processing of Personal Data in relation to the Services provided by the processor SESAM.

The Terms of Service Agreement (also referred to as “The Agreement”) regulates the activities, responsibilities and risks between SESAM and the Customers. In the event of inconsistencies between The Service Privacy Policy and The Terms of Service Agreement, including the Data Processing Agreement, the relevant privacy provisions of the latter take precedence.

To exercise your rights as a Data Subject, please use our Data Access Portal.

Personal Data and Service Personal Data collected

By contracting with us, or through your use of Sesam and your interactions with us, SESAM collect Personal Data. This data may include name, address, billing information and so on. This information is regulated and processed according to the terms of our general Sesam Privacy Policy.

Service data is data that resides on the Sesam systems, to which we are provided access necessary to perform the Services, including Cloud environments, as well as test, development, monitoring and support services. This data may include Personal Information about the company ́s employees, customers, partners and suppliers, and will be referred to as Service Personal Data.

Customers instructions

Sesam will process data on behalf of its Customers, in accordance with the Data Processing Agreement and on the Customers additional documented instructions in accordance with applicable laws and regulations.

If, in our opinion, an instruction infringes applicable Data Protection law, we will without undue delay inform our Customers.

Rights of the individuals

The Customer is the Controller of the processing of Service Personal Data, hence any individual the Personal Data is relating to, should direct any requests, including the right to access, erasure, restriction, rectification or objection to the processing, directly to the Customer. We will, insofar it ́s possible, provide reasonable assistance to the Customer in their obligation to respond to requests from individuals.

Retention

SESAM will keep Service Personal Data for as long as necessary to fulfil our contractual obligations towards the Customer, as specified in the Terms of Service Agreement. Service Personal Data will be deleted or anonymized as soon as possible, and within 4 weeks, after termination of the Customer’s account, unless it must be stored in order for SESAM to fulfil obligations in statutory law.

Subprocessors

In all cases where SESAM is authorized to engage third party processors, we will ensure that any arrangement between the subprocessors and SESAM will be governed by a written contract, including terms which offer at least the same level of protection for the Service Personal Data as those set out in the Terms of Services Agreement. SESAM is responsible for the subprocessor’s performance with regards to the processing of Service Personal Data in accordance with requirements set out in applicable Data Protection law.

Security

SESAM has implemented and will maintain all technical and organizational measures designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Service Personal Data.

The SESAM Services are ISO/IEC 27001:2013 certified. The certification governs areas of the security applicable to the Services, including physical access, data access, security oversight, and enforcement. Our employees are required to maintain the confidentiality of all Service Personal Data. More specific security measures are set out in the Agreement.

Breach Notification

SESAM will immediately investigate any suspicious incidents that constitutes or may constitute a Service Personal Data security breach.

When SESAM becomes aware of an incident qualifying as a breach, SESAM will report such breach to our Customers without undue delay, in accordance with the Agreement with the Customer. In accordance to the Agreement and to the extent permitted by law, we will provide our Customers with all additional, relevant information concerning the breach reasonably known or available to us. We will facilitate for our Customers to meet any obligations to report or inform the applicable Supervisory Authorities and/or the Data Subjects of the Service Personal Data Breach.

Transfers and Cross-border transfers

SESAM will not transfer Service Personal Data, which are undergoing processing or are intended for processing after transfer, to a third country or to an international organization except when

Cross-border Data Transfers are made to adequate jurisdictions authorized by the Commission or if transfers are subject to appropriate safeguards. This may include Binding Corporate Rules, Model Clauses, Standard Data Protection Clauses, Approved Codes of Conduct, or Certifications.

Audits

Upon request, SESAM shall make available to Customers, all information necessary to demonstrate compliance with the Data Processing Agreement and the terms of this Service Privacy Policy, and shall allow for and contribute to audits by a Customer or a third-party auditor mandated by the Customer. The Customer shall give reasonable notice of any audit. Any additional audit terms should be included in the Data Processing Agreement.

Deletion or return

SESAM will upon your request or within 4 weeks of the date of cessation of any Services return a complete copy of all the Service Personal Data, and/or delete and procure deletion of all copies of those Service Personal Data. We may retain and store the Service Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws.

Jurisdiction and Choice of Law

Any dispute that may arise between the Customer and SESAM in connection with this Service Privacy Policy or SESAM ́s data processing activities shall be subject to, regulated by, and interpreted in accordance with, Norwegian Law. The jurisdiction is Norway, unless otherwise is agreed in the Terms of Services Agreement.

Change of the Privacy Policy

The Services and our business may change from time to time, hence it may be necessary for us to make changes to this Service Privacy Policy. We reserve the right to amend or repeal this Service Privacy Policy at any time by posting a revised Service Privacy Policy or a new policy document in its place. If such revised or new policy includes a significant change to the way that Personal Data may be treated, SESAM will notify the Customer of the fact that its Service Privacy Policy has changed by sending the Customer an email to the address associated with their User Account, and by posting a prominent notice on the Services.

Recruiting Privacy Notice

This Recruitment Notice describes the handling of Personal Data obtained about job candidates, including information provided by the applicants as well as information collected from third party sources and recruiters.

To exercise your rights as a Data Subject, please use our Data Access Portal.

What we collect and why we collect it

SESAM will process your Personal Data in our capacity as a recruiter. We only collect data necessary and relevant for the performance of a specific job position. The legal basis and the way we collect the information may differ:

1. Personal Data collected from you: When you actively apply for an advertised position at SESAM, the processing of the Personal Data is necessary in order to take steps at your request prior to entering into a potential employment contract. SESAM will collect Personal Data for the purpose to evaluate the job applicant for an employment position.

We ask for certain data when you apply for a position in our company. This is Personal Data you provide to SESAM directly, such as contact information, educational and employment history, achievements and test results, references, job qualifications, such as CV, resume and/or transcripts.

2. Personal Data collected from other sources: We have a legitimate interest in collecting Personal Data from third party sources as it allows us to find and contact potential job candidates and/or to do an assessment and verification of the candidate for a specific position.

SESAM may collect information from third party sources in the recruitment process in order to find and contact potential job candidates. Relevant sources may include, but is not limited to, a person who is explicitly referring you, publicly available websites used for recruitment (incl. LinkedIn) and recruitment agencies. The Personal Data is obtained only to the extent it is permitted by applicable law.

SESAM may also collect information from third party sources allowing the verification of the Personal Data provided to us and the eligibility of the applicant. This data may include: employment information from public sources, information from persons you indicate as a reference, information from employees with whom you may have interviewed, and background check providers, only to the extent it is permitted by applicable law.

How we use the information about you

The Personal Data enables us to respond to your request and adequately communicate with you. The information also helps us to complete a thorough and valid recruitment process, evaluating and verifying qualifications, hence make a deliberated decision regarding employment.

Special categories of Personal Data

We do not request or require, nor do we seek to obtain and process special categories of Personal Data about a candidate, unless and only if, we are required to do so by applicable laws and regulations. If such data is provided from you to us, you explicitly authorize SESAM to process special categories of personal data and we will only process it in accordance to applicable laws.

Sharing and disclosure

SESAM will only disclose information with third parties in cases where consent has been obtained. In case of disclosure, SESAM will ensure that the person to whom disclosure is made grants the candidates the same rights as those set forth herein with respect to the processing of Personal Data.

Transfers and Cross-border transfers

SESAM will not transfer Personal Data which are undergoing processing or are intended for processing to a third country or to an international organization. Cross-Border Data Transfers may take place if the transfers are made to adequate jurisdictions authorized by the Commission or if transfers are subject to appropriate safeguards. This may include Binding Corporate Rules, Model Clauses, Standard Data Protection Clauses, Approved Codes of Conduct, or Certifications.

Retention period

We will only retain the Personal Data for as long as it is necessary for the purpose for which it was collected. Personal Data will be deleted or anonymized as soon as possible when the retention period has ended, unless it must be stored in order to fulfill obligations in statutory law.

In cases where the application is declined, SESAM will hold your file for two years after ended recruitment process. The legal basis for the processing is our legitimate interest, which exceed the need for protection of the data subjects interest or fundamental rights and freedoms. We may ask for your consent to contact you for suitable, future employment opportunities. You are free to withdraw this consent at any time.

The existence of rights of the information we collect

Subject to applicable law, you may object the processing of the Personal Data processed or request to access. You may also ask for rectification or erasure of Personal Data, restriction of the processing, as well as the right to data portability.

You are entitled to have your rights enforced. At any time, you can choose to send a request, by following the directions here.

The right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority if you consider that the processing of the Personal Data collected infringes your rights.

Safeguards

We maintain appropriate organizational, technical and physical safeguards designed to protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, as well as all other forms of unlawful processing.

Change of the Privacy Policy

It may be necessary for us to make changes to this Recruitment Privacy Policy. We reserve the right to amend or repeal this policy at any time by posting a revised Recruitment Privacy Policy or a new policy document in its place. If such revised or new policy includes a significant change to the way that Personal Data may be treated, SESAM will notify the user of the fact that its privacy policy has changed by sending an email to the address associated with the individual.

Identity and contact details of SESAM

SESAM takes your privacy seriously.

For more information about SESAM's privacy practices or if you have any questions, feel free to contact us at gdpr@sesam.io.