Diri is a Norwegian company with legal entities, business processes, management structures and technical systems that cross national borders. Diri supplies software and services to private and public companies (customers) worldwide. Diri’s head office is in Gjøvik and is subject to European privacy legislation, including the General Data Protection Regulation (GDPR).
The top management in the company makes all strategic decisions about privacy in Diri.
Personal data is information that can identify you as a person, e.g., an e-mail address, street address, telephone number, etc. Processing of personal data is necessary for us to be able to serve our customers.
2. About whom we process personal data
Diri processes personal data about job seekers, contact persons and users of services or products related to our customers. In addition, we process personal data about people who represent potential customers, e.g., contacts us via Diri websites or other channels. You can read more about how we process this type of personal data in the section dealing with Diri as the data controller.
Diri also processes personal data on behalf of our customers, with the customer as the data controller and Diri as the data processor. You can read more about how we process this type of personal data in the section dealing with Diri as a data processor.
3. How Diri processes personal data as a data controller
When Diri determines the purpose of and the processing of your personal data, Diri is considered the data controller. This includes scenarios where Diri collects personal data in connection with you being a job seeker, contact person for a customer or potential customer, or when you are a user of our services.
Why we process your personal data
About customer contacts and users
To manage our customer relations in general and to fulfil specific obligations towards customers according to service agreements, Diri needs to process personal data about you in your role as customer contact or user of a service. The purpose of the processing of this personal data is:
1. Carry out sales and contract processes with customers and potential customers
2. Provide customers and potential customers with offers for products and services
3. Carry out deliveries by agreements with you or customers
4. Offer support to users of our products and services
5. Improve and develop the quality, functionality and user experience of our products and services, as well as on Diri’s websites
6. Detect, minimise and prevent security threats
7. Prevent misuse of our products and services
8. Process orders, invoicing, payments and other administration
9. Map displayed interests on Diri’s websites to provide you with content you seem to be interested in, with an effective option to “opt-out”
10. Operate online forums to provide training and facilitate interaction and dialogue between users and Diri
The legal basis for processing personal data according to the stated purposes in points 1 to 9 is essentially that Diri believes we have a legitimate interest in processing your personal data for these purposes from a business perspective, and because we believe that this does not constitute an encroachment on your right to privacy. The legal basis for processing personal data according to the purpose listed in point 10 is your consent.
About contact persons for potential customers
Diri processes personal information about contact persons for potential customers for marketing purposes. To offer targeted and relevant content to potential customers, Diri builds an interest profile based on contact persons’ movements, choices and actions on Diri’s websites, as well as in connection with contact persons’ responses to e-mails from us. The legal basis for such processing is mainly the contact person’s consent.
You can read more about how we create such profiles and how you can adjust the profile and withdraw your consent below.
About job seekers
If you are a job seeker, we process your personal data to assess your opportunity and potential to be employed by Diri. The legal basis for such processing is your consent.
How we collect your personal data
Diri generally collects personal data directly from you or other people associated with the customer. These people can be a manager or colleagues. If the customer you work for buys Diri’s products or services via a Diri partner, we can collect information about you from our Diri partner.
Sometimes, we may also collect information about you from other sources. These sources can be publicly available or on third-party social networks such as LinkedIn or proff.no. Diri can combine personal information about you from one data source with data obtained from another. This gives us a more complete picture of you and allows us to serve you in the best possible way.
Automatic data collection tools
Diri uses various digital tracking technologies to collect information about your movements on Diri’s websites and when interacting with us.
Cookies and technologies from Google
Google Tag Manager: A tool for adding functionality to websites.
Google Analytics 4: This cookie allows us to see information about the user’s activities on websites, including but not limited to page views, source and time spent on a website. IP addresses are not stored in Google Analytics 4. This helps to protect your privacy. With the help of Google Analytics 4, we can see which content is popular and less popular on our websites and work to give our users more of the things they like to read and watch. Data is stored in Europe.
You can prevent the information generated by Google’s cookies by downloading and installing the Google Analytics Opt-out Browser Add-on for your current browser. This add-on is available at http://tools.google.com/dlpage/gaoptout.
Cookies from Zoho
SalesIQ: Cookies are used to collect and analyse visitor data when they land on the website. This helps us provide the best user experience to our website visitors. It also allows the user to contact us via our Chat service.
What types of personal data do we process
The type of personal data that Diri processes about you can be:
Basic contact information such as name, address, telephone number and e-mail
- Demographic information such as date of birth, age and gender
- Job information such as employer, title, position, as well as professional preferences and interests
- Feedback, comments or questions from you about Diri or our products and services
- Content you have uploaded, such as images or videos
- Unique user information such as login ID, username, password, security question etc.
- Financial information such as credit card information, billing address, etc.
- Information provided by your browser such as the type of browser or console, language and the address of the website you came from, as well as other traffic information such as IP address
- Clicks and movement on Diri websites and in our products and services
- Other personal data in your profile that you have freely provided on third-party social networks, such as LinkedIn
As a data controller, Diri does not process sensitive personal data about you.
How we share your personal data
Diri may share your personal data with external third parties in the following contexts:
Suppose you post a post, comments or similar on Diri’s online forum or other forums on Diri’s website. In that case, such information can be read and used by anyone who has access to such forums and used for purposes over which neither the users nor you have control. Diri is not responsible for information you make available in such online forums, Diri websites or other similar forums.
Diri may share your personal data with our partners by applicable data protection legislation. For example, if you buy a product or service on behalf of your employer that Diri offers through one of our partners. In such a situation, Diri and our partner may share your personal data to deliver the product or service to the customer.
The police and other authorities can demand the release of personal data from Diri. In such situations, Diri will only hand over personal information and data if there is a court order or similar.
Mergers and acquisitions
In connection with mergers, acquisitions or reorganisation of Diri’s operations, the acquiring entity and its consultants can gain access to data managed by the company, which may in some cases include personal data. In such cases, external parties will sign a non-disclosure agreement with Diri.
4. Your rights
Right to opt-out of marketing communications
You have the right to notify us that you do not wish to receive marketing from Diri. You can do this by following the instructions for reservations included in the marketing communication.
Please note that even if you choose not to receive marketing communications from Diri, you may still receive administrative communications such as order confirmations or notifications necessary to manage your account or the services we provide to our customers.
You have the right to access your personal data and can request an overview of the personal data we store about you. You may also have the right to take your personal data from one business to another (data portability). You also have the right to request that Diri correct errors in your personal data.
You also have the right to submit a complaint to the Norwegian Data Protection Authority regarding our processing of your personal data if you, e.g., consider the processing unlawful.
5. How does Diri protect and store your personal data
This is how we protect your personal data
Diri takes the trust you and customers show us seriously. Diri is concerned with preventing unauthorised access to and forwarding of personal data. Diri must ensure that the personal data we process is treated confidentially, maintain the integrity of the personal data, and ensure that it is accessible in accordance with the applicable data protection legislation.
As part of our obligations, we use adequate organisational, technical and physical procedures and measures to protect the personal data we process, given the type of information and the risk you and our customers are exposed to in the event of a possible deviation. We believe in building a solid corporate culture where respect for and awareness of privacy among our employees is fundamental to ensuring legal processing and protection of personal information and data. The following measures are essential in this regard:
- At Diri, we have internal specialist expertise related to the GDPR, in addition, we have access to legal expertise that provides advice in all specific matters concerning privacy
- It is mandatory for all employees to undergo privacy training
- Diri keeps a record of its processing activities and continuously assesses risks when processing personal data
- Data processing agreements are entered into with subcontractors who process personal data
- Classification of personal data to ensure that the security measures implemented are in proportion to the assessment of risk
- Assess ongoing use of encryption and pseudonymisation as risk-reducing measures
- Restrict access to personal data to those who need access to fulfil obligations under service agreements or legislation
- Using systems that detect, remedy, prevent and report privacy breaches
- Use security audits to continuously assess whether current technical and organisational security measures are sufficient
- The premises are protected with access control and video surveillance systems
How long do we process your personal data
Diri only processes your personal data as long as it is necessary for the purpose communicated to you or the customer in connection with the collection of the personal data while taking into account our need to be able to answer questions from you or the customer, resolve disputes, as well as comply with legal obligations under applicable laws. This means that Diri can retain your personal data for a reasonable period after your and our customer’s last interaction with us.
When the personal data we have collected is no longer necessary to fulfil the purpose behind which it was collected, we delete it. We may process data for statistical purposes, but in such cases, the data will be pseudonymised or anonymised, as personal information is not interesting in this context.
6. Diri as data processor
Diri offers various services to our customers. Most of these services involve processing customer data, including personal information. Our customers determine the purpose of the processing of personal data. This means that the customer is the data controller, Diri is the data processor, and Diri only processes personal data on behalf of the customer. The relationship between the customer as a data controller and Diri as a data processor shall be regulated by a data processor agreement.
The customer’s and Diri’s obligations
When the customer acts as data controller, following the applicable data protection legislation, this must ensure the legal basis for processing personal data. Furthermore, the customer must consider establishing ownership of the risk when processing personal data. Another critical aspect of the customer’s responsibility as a data controller is to comply with the obligation to provide information to the registered persons.
Diri is a natural part of the customer’s responsibility as a data controller because Diri’s services are part of the processing of personal data that the customer must ensure is in accordance with current privacy legislation. When Diri processes personal data on its customers’ behalf, we must follow the data protection legislation that applies to data processors.
In short, both the customer and Diri are obliged to cooperate to ensure the privacy of the registered persons. Diri must provide the information necessary for the customer to be able to comply with the applicable privacy legislation.
How does Diri use subcontractors to process personal data
Diri uses subcontractors to process personal data and can export our or customers’ data to other companies within the EU. These subcontractors are usually providers of cloud services or other IT services.
When using subcontractors, Diri will enter into a data processor agreement to protect your rights to privacy by current privacy legislation and to fulfil our obligations to customers.
Diri depends on strategic partners to be successful with our business processes and to be able to offer you our services in an efficient, safe and cost-conscious way. These third parties include, but are not limited to:
|Microsoft||Data processor’s data centre, hosting||https://www.microsoft.com/en-us/trust-center/privacy||EU/West Europe|
|Crayon||Service provider Azure||https://www.crayon.com/no/om-oss/privacy-and-security/||EU/Norway|
|Zoho||CRM, Service desk, Help pages and forum||https://www.zoho.com/privacy-commitment.html||EU|
|Tripletex||Invoicing and project management||https://www.tripletex.no/personvernerklaering/||Norway|
|Mailjet||Sending e-mails such as newsletters and notifications in the application||https://www.mailjet.com/legal/security-privacy/||EU|
You are always welcome to request an overview and more detailed information about Diri’s subcontractors, including documentation of the legal basis for international transfers.
8. How to contact us
You can also send us a written inquiry by post.
We treat all such inquiries confidentially, and our privacy officer will contact you to deal with your issues and outline the possibilities for a solution. We aim to ensure that all questions are handled efficiently and appropriately.