ZAPTEC AS (hereinafter referred to as “ZAPTEC”) is committed to maintaining customer privacy. These guidelines describe how we process personal information.
Collection of personal data
ZAPTEC’s processing of personal data is based on voluntary and informed consent. Each customer must consent to the collection and processing of personal data through a special declaration of consent, cf. Section 8 of the Personal Data Act. Personal data will not be collected or processed before the customer’s consent has been obtained. The declaration of consent describes the requirements set out in Section 19 of the Personal Data Act, including
a) Name and address of the controller b) The purpose of the processing c) That the data will not be disclosed to others d) That the provision of data is voluntary e) Other information that will enable the data subject to exercise his rights pursuant to the Personal Data Act in the best possible way, including information on the right to demand access to data pursuant to Section 18, and the right to demand that data be rectified pursuant to Sections 27 and 28.
According to the declaration of consent, ZAPTEC may collect, store and process the following personal data about customers and products purchased by the customer:
Date of birth
Type of product
Product type and serial number
The approximate location of the products
Diagnostics data and sensor readings
Use of personal data The personal data that we collect will only be used for the purposes described in these guidelines and in our standard declaration of consent.Personal data are processed in connection with the functionality of ZAPTEC´s cloud solution (ZapCloud). This is required for the following functionality;
User being allowed to charge on chargers and installations requiring internal authentication
Administrate installations and charging stations
See charge history for an installation
See own charge history
Login to app. App uses same login and database as ZapCloud.
Additionally, personal data is collected in conjunction with support request. By interconnecting various non-sensitive personal data such as product number, customer name, address, location etc. ZAPTEC will be able to provide customised customer support. Another purpose of processing personal data is that ZAPTEC can improve its services to customers by compiling data based on usage, error messages etc.
Personal data can also be used in various enquiries and contact with the customer, for example orders and handling of orders, sending invoices, commercial communications, follow-up of complaints and the like. However, ZAPTEC will not use personal data for marketing purposes unless the customer has explicitly agreed to this.
ZAPTEC and the controller (cf. Item 4) shall, under Section 11 of the Personal Data Act, ensure that the personal data that are processed are only processed for explicitly stated purposes (i.e. the purpose as stated in the declaration of consent) that are objectively justified by ZAPTEC’s business activities. Furthermore, the controller is obliged to ensure that the personal data that are processed are not used subsequently for purposes that are incompatible with the original purpose of the collection, unless the customer consents. Furthermore, the personal data shall be sufficient and relevant for the purpose of the processing and be correct and up to date, and not stored for longer than is necessary for the purpose of the processing, cf. Sections 27 and 28 of the Personal Data Act; see further Items 7 and 8 below.
According to Section 2 (4) of the Personal Data Act, the CEO of ZAPTEC is the controller and also determines the purpose of processing personal data. The controller may, however, delegate tasks to subordinates and place the day-to-day responsibility for processing personal data at the level required for compliance with the Personal Data Act and the provisions of this policy. Whoever has day-to-day responsibility at ZAPTEC is among the pieces of information that everyone has a right to access, and which must be reported to the Norwegian Data Protection Authority, cf. Sections 18 and 32 of the Personal Data Act and below in Items 7 and 9.
Requirements concerning security measures
Pursuant to Section 13 of the Personal Data Act, the controller shall by means of planned, systematic measures ensure satisfactory data security with regard to confidentiality, integrity and accessibility in connection with the processing of personal data.
These measures shall be in place no later than 30 days prior to the processing of personal data commences, cf. Section 31, second paragraph and Section 32, first paragraph litra i) of the Personal Data Act and Item 9 below concerning obligation to give notification. This entails that the measures must protect against the information becoming accessible to persons who do not have legal access to the information, i.e. computer systems etc. used in processing personal data must be sufficiently secure to ensure that unauthorised persons cannot gain access to personal data. Data security with regard to integrity means that it must not be possible to alter the information in an unauthorised manner.
To obtain satisfactory data security the controller must document the information system and security measures. The documentation shall be accessible to the employees of ZAPTEC. The documentation shall also be accessible to the Norwegian Data Protection Authority and the Norwegian Data Protection Tribunal. All aspects of the information system that carries out the processing and is relevant to risk assessment shall be documented. This includes both electronic and manual parts of the processing.
Proportionality requirements relating to the protection of personal data
Where there is a risk of loss of personal integrity or loss of reputation, the planned and systematic security measures must be proportionate to the probability and consequence of security breaches.
[If the controller allows others to access personal data, e.g. others who perform services related to the information system, he must ensure that they meet the requirements mentioned above.]
According to Section 2-3 of the Personal Data Regulations, the general manager of the enterprise run by the data controller is responsible for ensuring compliance with the provisions of Chapter two of the Regulations. According to the provision, the purpose of the processing of personal data and general guidelines for the use of information technology shall be described in security objectives. Choices and priorities in security activities shall be described in a security strategy.
Use of the information system shall be reviewed regularly in order to ascertain whether it is appropriate in relation to the needs of the enterprise, and whether the security strategy provides adequate data security as a result. The result of the review shall be documented and used as a basis for any changes in security objectives and security strategy.
The requirement that data security must be satisfactory entails a requirement for a specific assessment for each type of processing of personal data (each system that processes personal data). According to the Personal Data Regulations, the controller shall estimate what is an acceptable risk for violation of confidentiality, integrity and accessibility, and assess probable risks and consequences of security breaches. On this basis, measures must be taken to ensure acceptable risk, cf. Section 2-4 of the Personal Data Regulations.
Any use of the information system that is contrary to established routines, and security breaches, shall be treated as a discrepancy. The processing of the discrepancy shall be documented and its purpose shall be to re-establish the normal state of affairs, eliminate the cause of the discrepancy and prevent its recurrence.
The distribution of responsibility for and authority governing the use of the information system that processes personal data shall be clearly established. The distribution of responsibility and authority shall be documented and shall not be changed without the authorisation of the general manager. The information system shall be configured in such a way as to achieve adequate data security. The configuration shall be documented and shall not be changed without the authorisation of the general manager.
ZAPTEC staff shall only use the information system that processes personal data to carry out assigned tasks, and shall be personally authorised for such use. The staff members shall have the knowledge necessary to use the information system in accordance with the routines that have been established. Authorised use of the information system shall be registered.
Duty of confidentiality
Members of the staff of the data controller shall be subject to a duty of confidentiality as regards personal data where confidentiality is necessary. The duty of confidentiality shall also apply to other data of significance for data security.
Measures shall be taken to prevent unauthorised access to equipment that is used to process personal data. The security measures shall also prevent unauthorized access to other equipment of significance for data security. Equipment shall be installed in such a way that influence from the environment in which it is operated does not significantly affect the processing of personal data.
Protection of confidentiality
Measures shall be taken to prevent unauthorised access to personal data where confidentiality is necessary. The security measures shall also prevent unauthorised access to other data of significance for data security. Personal data that are transferred electronically by means of a transfer medium that is beyond the physical control of the data controller shall be encrypted or protected in another way when confidentiality is necessary. As regards storage media that contain personal data where confidentiality is necessary, the need to protect confidentiality shall be shown by means of marking or in another way. If the storage medium is no longer used for the processing of such data, the data shall be deleted from the medium.
Security measures shall prevent unauthorised use of the information system and make it possible to detect attempts at such use. Attempts to make unauthorised use of the information system shall be registered. Security measures shall include measures that cannot be influenced or circumvented by members of the staff, and shall not be limited to actions that any individual member is supposed to carry out. Security measures shall be documented.
Routines for using the information system and other data of significance for data security shall be documented. The documentation shall be stored for at least five years from the time the document was replaced by a new, current version. Records of authorised use of the information system and of attempts at unauthorised use shall be stored for at least three months. The same shall apply to records of all other events of significance for data security.
The controller shall establish and maintain such planned and systematic measures that are necessary to comply with the requirements of the Personal Data Act and the Personal Data Regulations, including ensuring the quality of the personal information.
The controller shall document the measures. The documentation shall be accessible to employees of ZAPTEC. The documentation shall also be accessible to the Norwegian Data Protection Authority and Norwegian Data Protection Tribunal.
Pursuant to Section 3-1 of the Personal Data Regulations, the systematic internal control measures shall be adapted to the nature, activities and size of the enterprise to the extent that is necessary in order to comply with the requirements laid down in the Personal Data Act and the Regulations.
Internal controls entail that ZAPTEC shall, inter alia, ensure that it has knowledge of current rules governing the processing of personal data, that it has adequate and up-to-date documentation for the implementation of the above-mentioned routines, and that this documentation is available to the persons it may concern. This is described in these guidelines.
ZAPTEC shall also have routines for fulfilling its duties and the rights of data subjects pursuant to current rules of privacy, including routines for
a) Obtaining and verifying the consent of data subjects, cf. Sections 8 and 11 of the Personal Data Act. This is considered fulfilled by compliance with this policy’s provisions in Items 2, 3, 7 and 8.
b) Evaluating the purpose of personal data processing in accordance with Section 11 (a) of the Personal Data Act. This is considered fulfilled in that ZAPTEC – as described in these guidelines – will only process personal data to the extent consented to and only within the purpose specified in the declaration of consent.
c) Evaluating the quality of personal data in relation to the defined purpose of processing the data. This is considered fulfilled by compliance with these guidelines.
d) Replying to requests for access and information. The procedures for this are described in these guidelines.
e) Complying with the provisions of the Personal Data Act regarding the obligation to give notification. The procedures for this are described in Item 9 below.
Access to, changing and deletion of personal data
Anyone who requests has the right to know what kind of processing of personal data is performed by the controller, cf. Section 18 of the Personal Data Act, and may demand to receive the following information as regards a specific type of processing:
a) The name and address of the controller and of his representative, if any
b) Who has the day-to-day responsibility for fulfilling the obligations of the controller
c) The purpose of the processing
d) Descriptions of the categories of personal data that are processed
e) The sources of the data
f) Whether the personal data will be disclosed, and if so, the identity of the recipient
The data subject (i.e. the person to whom the personal data may be linked) has the right to access the data ZAPTEC has stored and processes about him. If the data are incorrect or incomplete the data subject may demand to have the incorrect data corrected, supplemented or deleted. Furthermore, the data subject may request the controller to provide information about the security measures during the processing insofar as access does not impair security. The data subject may also demand that the controller elaborate on the information in litrae a-f above to the extent that this is necessary to enable the data subject to protect their own interests.
If personal data which are inaccurate or incomplete or of which processing is not authorised (e.g. because the data subject has withdrawn their consent), the controller shall on his own initiative or at the request of the data subject rectify the deficient data. The controller shall if possible ensure that the error does not have an effect on the data subject. Deletion should be supplemented by the recording of accurate and complete data.
The data subject may also at any time demand the deletion of the information collected about them, unless they are required to deliver a service which they still want to have access to, or if ZAPTEC is required by law to store the data for a certain period of time.
Information/access, etc. as mentioned above may be obtained by contacting ZAPTEC. Contact information is contained in Item 10 below. The information may be requested in writing. Before providing access to data relating to a data subject, the controller may require that the data subject furnish a written, signed request/demand for access.
The controller at ZAPTEC is obliged to answer enquiries about access etc. without undue delay and no later than within 30 days from the day the request is received, unless particular circumstances make it impossible to respond to the enquiry within 30 days. In that case, the controller shall give a provisional reply stating the reason for the delay and the likely date for when a reply can be given. Payment may not be demanded for providing such information.
Storing unnecessary data
ZAPTEC shall not store personal data longer than is necessary to carry out the purpose of the processing, cf. Section 28 of the Personal Data Act.
Obligation to give notification
The controller at ZAPTEC shall notify the Norwegian Data Protection Authority no later than 30 days prior to the commencement of processing personal data by electronic means. The notification may be submitted electronically via the Norwegian Data Protection Authority’s website, https://datatilsynet.no/personvern/Melding-og-konsesjon/Meldeskjema/
The notification shall provide information about several aspects, including
The name and address of the controller and his representative and processor, if any
When the processing will begin
Who has the day-to-day responsibility for fulfilling the obligations of the controller
The purpose of the processing
An overview of the categories of personal data that are to be processed
The sources of the personal data
The legal basis for collecting the data
The persons to whom the personal data will be disclosed
The security measures relating to the processing
[Several of these points are described in the declaration of consent and these guidelines]
Richard Johnsensgate 4