Telenor Linx Privacy Notice

To deliver our services, Telenor Linx step into one of two roles: Data controller or data processor.

• As data controller we determine why and how personal data is processed. In this case, we are your primary partner when it comes to your privacy rights. You can read more about your rights and how to exercise them below.
• As data processor we deliver technology or services to another company (usually your mobile operator). In this case, the other company acts as the data controller and makes decisions regarding data processing, while we are legally obligated to follow their instructions. Any questions or objections regarding privacy in these cases should be directed to the data controller.

Telenor Linx is the data controller for the services for which you have entered into an end-user agreement with us. This controllership extends to support services for those contracted services like Customer Care, Permissions Management, and Analytics. Telenor Linx is also the controller for our e-com services like international voice, messaging and data transfers and roaming services.

As a data processor, Telenor Linx’ contribution is a background support activity which only exists to enable services offered by another company, usually your mobile operator. In this case, the other party is the data controller and will respond to your privacy concerns.

The personal data we collect, the purpose we process them for and for how long we retain the various data vary according to the kind of service or product. Countries where we process data, or transfer data to, and the legal basis for processing also vary depending on service and product Please see the relevant service or product for details.

In addition to what you will find under each service as a purpose for processing, there will be a few use cases in which we are obligated to process personal data by applicable law.

Third party companies help us to provide and maintain our services. These third parties fall into the following categories:

• Network Operator: We integrate and collaborate with other network operators, for example, other Telenor companies. These activities require data transfers to or from your mobile service provider.
• Partners: Occasionally, we integrate our services with partners outside the Telenor Group. In such a case, each party is responsible for their part of the data processing as a data controller.
• External vendors: We use external vendors to host, deliver, improve, and maintain our services and products. These vendors are data processors to us, which means they are legally and contractually obligated to follow our instructions, maintain your data securely according to our standards, delete your data upon request, and so forth.

Finally, if we decide to sell, buy, merge or otherwise re-organise a business, we may transfer your personal information to purchasers, or partners and their advisers.

In some specific cases, we transfer data to countries outside the European Economic Area (EEA)/European Union (EU). Such transfers occur when:

• a user’s country of residence is outside EU/EEA, and the user is a subscriber to the local mobile network operator and Telenor Linx services are offered with the subscription; or
• a user use Telenor ID to sign into a service based outside EU/EEA; or
• we use the processing capacities of a vendor based outside EU/EEA; or
• we use Telenor Linx own capacities outside of EU/EEA.

In the first two cases, the countries to which we transfer the data are determined by the location of your mobile service provider or the location of the services you are using with Telenor ID. Unless it is necessary to transfer the data to a country outside the EU/EEA for the performance of our contract with you, we enter into standard data protection clauses adopted by the European Commission (“EU Model Clauses”).

Many of our vendors are located in the United States. The hosting services we purchase limit however the location of processing to EU, which means that data is not transferred to nor accessed from outside of EU. For vendors that help us improve and maintain our products, data might be transferred to the USA. In such cases we assess the risk and make the adequate security measures before any transfer starts up.

For the last category, Telenor Linx has full control of the entities and full insight in any authority requests coming into the local Telenor Linx units. Here as well adequate security measures are taken.

All transfer of personal data out of EEA is furthermore based on a set-up with EU model clauses, either between Telenor Linx in Norway and the party outside of EEA, or via a European vendor who as a data processor establish a processor-to-processor model clause with the party outside of EEA.

In electronic communication as elsewhere in society there is a risk for malicious attacks and fraudulent attempts. Telenor process signalling and roaming data in various ways to prevent and stop fraud. We manage firewalls where recognizable fraudulent traffic is stopped, and we look for call patterns we know are likely to be fraudulent to close down traffic from such sources when necessary. Typical case for the latter could be sending thousands of messages in a very short time range to a high-cost number – Wangiri calls trying to trick the called party to call back on a missed call, or “fake support calls” used to scam the victim’s credit card. Characteristic for both types of calls is the sequential dialling generated by machines.

To be allowed to transfer calls to the USA, all calls coming from a sender with a phone number from the North American Numbering plan will be analysed as any other call going through Telenor’s network. In case such a robo-call would pass through to the recipient despite our efforts to prevent it, US authorities may require Telenor’s assistance to track back the real sender of the call.

Fraud detection and prevention is dependent on fresh data, and data used for this purpose will not be stored for more than 24 hours. For monitoring purpose, the last two digits are removed from both the calling and the receiving number (A and B number). The A and B numbers are not combined in any of the fraud alerts to further limit any possibility for reidentification of end-users.

Telenor Linx takes privacy rights seriously and offers in general the rights to access and information to the individuals whose data we collect and process. However, for the international voice and SMS services, as well as the roaming services, Telenor Linx only gathers information from your local operator and operators you roam with, and the full set of information will only be available at your local operator. Additionally, Telenor Linx do not know the identity of the individual users. For these reasons, you will have to ask your local operator for access to your traffic data.

For all other services Telenor Linx is controller of you have several rights regarding your personal data which you can exercise by visiting your privacy settings in your service or contact Telenor Linx directly. Customer Service will handle your requests and answer your questions. These include the:

• Right to withdraw consent: Where you have previously given consent for us to process your personal data, you can withdraw that consent any time.
• Right to access your information: You can ask for more detail regarding the data we collect about you and how we process it.
• Right to rectification: You can request that we correct any inaccurate personal data which we are processing. For most of our services, the simplest way to correct your data is to update your user profile yourself.
• Right to object: When we process your personal data on the legal basis of legitimate interest you have the right to object to such processing.
• Right to erasure: You can request that we erase the personal information we hold about you. This kind of request must meet certain criteria. For example, we cannot delete information required to fulfil our contract with you.
• Right to restrict processing: In certain cases, you may request that we cease processing of your personal data for specific purposes. For instance, you might claim that our use of your data is unlawful, but you may ask us to restrict the processing of data, as opposed to deleting it.
• Right to portability: You have the right to receive the personal data we are processing concerning you. This pertains to the data which you have provided to us and that we are processing based on your consent or to perform a contract with you, provided that the data is processed using automated means. This right includes a direct transfer of your data to another controller, where technically feasible. Please note that the right to portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. We also will not be able to extend this right in a way that would adversely affect the rights and freedoms of others.

See the “Contact Details” section of this Privacy Notice to see options to how and where you may exercise your rights.

All business customer data and vendor data are solely used for professional relationship management purposes. In addition to contact and follow-up, Telenor also runs an annual Net Promoter Score (NPS) survey. We then ask for and collect the NPS from our business customers and vendors. It is voluntary to participate. This data is stored for as long as the customer or vendor has a relationship with our company. At any point in time, contacts can opt out of the survey, and/or ask to have their own data deleted.

Telenor Linx typically log your activities when you log on to our customer portals.

We collect your e-mail address/username and your log-data based on legitimate interest as a legal basis. Our legitimate interest in collecting your log-data is to secure and control access to the (personal) data in the system.

We do not share information about you with any third parties for other purposes than the ones described in this privacy notice.

We will at all times keep our privacy notice updated and notify on our website or application with any changes. For products where we have registered your e-mail address, we will also notify you by e-mail if we make substantial changes relevant to this product.

For requests about access to data, objection to data processing, correction of your data, deletion of data or accounts or to see your history for relevant services, please go to our “Make a request” page: https://manage.telenorid.com/privacy

For opting out of, please go to https://privacy.telenordigital.com/pages/consents

Telenor Linx AS
Snarøyveien 30
1331 Fornebu, Norway
Org. No. NO 996 516 288

Any questions or complaints to Telenor Linx processing of personal data can be addressed to the Telenor Linx’s Data Protection Officer.

You also have the right to lodge a complaint with a supervisory authority.