1.1. The service
DEFA Plot (hereinafter referred to as the “Service”) is a mobile service application that passively tracks movement, classifies transportation events and transportation types, and automatically logs transportation types categorized as a drive with a vehicle. The Service allows the user to classify drives into business or private categories in order to create reports for e.g. administration of a car fleet, reimbursement purposes or tax reports.
The Service is offered by DEFA AS (hereinafter referred to as “DEFA”, “we” or “us”), with org.nr. 945 692 758, having its registered office at Blingsmovegen 30, 3540 Nesbyen, Norway.
DEFA AS’ contractual counterparties of the Service are referred to as our “Customers”, while any persons who uses the Service, including the Customers’ employees and other persons with the employee, are referred to as the “Subscribers” of the Service.
1.2. The parties
When DEFA is processing personal data about the Subscribers of the Service for the purpose of operating the Service, DEFA is processing personal data on behalf of their Customers. For the processing for these purposes, DEFA is regarded as the processor of the personal data. For this processing it is the Customer who determines the purpose of the processing of the personal data and which means are to be used. Hence the Customer is regarded as the controller of the personal data. Reference is made to section 2.2.1 below.
Provided that DEFA obtain a consent from the Subscriber, DEFA may also process the Subscribers’ personal data for DEFA’s own purposes, cf. section 2.2.2 below. For such processing DEFA determines the purpose of the processing of the personal data and which means are to be used, hence, DEFA is regarded as the controller of the personal data. For such processing DEFA processes personal data about the Subscribers without responsibility for the Customers.
1.2.1. The legislation
The service is governed by Norwegian Law. DEFA’s processing of personal data is governed by the Norwegian Act of 14 April 2000 No. 31 relating to the processing of personal data (hereinafter referred to as the “Data Protection Act” or the “DPA”) § 11, cfr. § 8 f) and the Personal Data Regulations (hereinafter referred to as the “PDR”) implementing Directive 95/46/EC and/or its implementing decrees. Where there are no other legal basis for processing of personal data your consent will constitute the relevant legal basis for the processing of your personal data.
Furthermore, the processing for the purpose of providing the DEFA Plot service, is regarded as a control measure in the Customers undertaking, pursuant to chapter 9 of the Act relating to working environment, working hours and employment protection, etc. (hereinafter referred to as the “Working Environment Act”). For the processing for these purposes the Customers are obliged to comply with the requirements in § 9-1 and 9-2 of the Working Environment Act.
The use of the Service for the purpose as described in section 1.1. above, will presumably be compliant with both the Working Environment Act § 9-1 and the DPA § 11, cfr. § 8 f). We emphasize that the Customer undertaking must make its own consideration.
2. The purpose of DEFA AS’ processing of personal data
2.1. Data Collection
When a Subscriber installs, runs and uses our services we collect;
- Location data: DEFA Plot uses a cell phone’s location services which, depending on the device and available services, uses a combination of cellular, Wi-Fi and GPS to determine a location.
- Information provided by the Subscriber: DEFA AS collects the name, email address and phone number of a Subscriber
- Device information: DEFA AS collects information about the phone’s operating system, device identifier, sensors, carrier, language, battery performance, Wi-Fi or other network connections and other data that you permit the App to access on your device including through permissions on your device (e.g. Google Play on Android).
2.2. How data is used
The purpose of DEFA’s processing of personal data is divided:
2.2.1. Processing for the purpose of providing the DEFA Plot service
Firstly, DEFA is processing personal data about the Subscribers of the Service on behalf of our Customers, for the purpose of operating the Service.
Tracking data from the Subscriber’s mobile telephone is used to map a Subscriber’s daily movement. Tracking data will be sent to DEFA AS’ servers in different intervals, where it is analysed before it is sent back to the subscribers’ mobile telephone. The analysed data is then stored in DEFA’s databases and made available for the Subscriber in the web application and on the mobile telephone.
For the processing for these purposes DEFA is regarded as the processor of the personal data on behalf of the Customers. The Customers are regarded as the controllers of the personal data. Reference is made to section 1.2 above.
As the controller the Customer has an obligation to give notification about the processing to the Data Inspectorate. The Customer may fill out and submit a Norwegian electronic form on the Data Inspectorate’s website: https://melding.datatilsynet.no/melding/ Alternatively, the Customer may submit a paper form and sent it to the Data Inspectorate by e-mail, fax or letter. The form (pdf) is available in English here https://www.datatilsynet.no/English/Notafication-form/ The purpose of the processing must be specified under section 6 b) of the form by ticking of the alternative “Other processing, private sector” The processing should be specified to concern electronic travel log under section 6 c.
2.2.2. Processing for DEFA’s own purposes
Furthermore, pursuant to DEFA’s agreement with the Customer, DEFA may process personal data about the Subscribers for DEFA´s own purposes, provided that DEFA has obtained a freely given consent from the Subscribers. This consent will be obtained electronically when the Subscribers sign up to use the Service.
DEFA will process the Subscribers’ personal data for various purposes:
- Developing the user experience: data we collect may help us improve our overall user experience and accuracy of tracking. For example, location information, e.g. a ferry ride, may be used to train our algorithm to become more accurate in distinguish one transportation type from another. The location data will be extracted and processed on an aggregated level. The Subscriber’s identity shall not be retrievable.
- To improve the service: we may use our Subscribers personal information to create a better understanding of who our users are and how they use our services. This data helps us to improve our services to fit better to our users’ needs.
- Customer service/support: we may use a Subscribers contact information, device information and usage data in connection with our customer service.
In such case DEFA acts as the controller of the Subscribers’ personal data without responsibility for DEFA’s Customers, cf. section 1.2 above. Furthermore section 4-10 below shall apply.
DEFA has its registered office at Blingsmovegen 30, 3540 Nesbyen, Norway.
3. How data is shared
DEFA AS will not sell or share your personal information to any third party, or in any way provide others with information retrieved or provided to us by using our app, web pages or through any other communication platforms, unless:
- Subscriber has clearly granted us a permission to do so
- Applicable law requires us to share your personal information
It is only the Subscriber which has full access to his/her own timeline and data concerning his/her movement. In case where the Subscriber drive a company car with a “company vehicle” profile linked with a PlotSync Bluetooth® beacon, only the drive, including location data, will be visible in the Customer’s administration interface.
4. Data security
DEFA use commercially reasonable physical and technical safeguards to secure your data. All communication channels are encrypted.
DEFA reserves the right to use third party vendors and hosting partners. We require those parties to whom we transfer personal data, to comply with the same data security measures.
5. Data retention
We will keep your personal data as long as we and our subcontractors are required by Norwegian law, and as long as it is necessary to achieve the purpose of the collection. The personal data will be deleted thereafter.
6. Subscriber’s access to data
Subscribers have access to their stored data through our web application by providing a valid username and password.
7. Finding out what data we hold on you
You have the right to gain access the personal data we have collected about you, how we process it, purposes, security measures etc.
Data subject access requests regarding processing of personal data for the purpose of providing the DEFA Plot service must be directed directly to the Customers. The Customers will refer the data subject access request to DEFA.
Data subject access requests regarding processing of personal data for DEFA’s own purposes should be directed directly to DEFA. Please send a written request to firstname.lastname@example.org
8. How you can withdraw your consent or update, rectify or delete your personal data
You can withdraw your consent or update, rectify or delete your personal data at any time. Please make a written application to email@example.com.
10. Contact information
Please contact us by e-mail firstname.lastname@example.org. Subscribers can also contact the Customer (their employer/principal).