Effective September 20, 2021
1. Data Controller
Its purpose is to define the rules how to process and use the Personal Data and information from identified or identifiable users of any Websites or Services administered by the Controller, including company's or other organization's representatives, and also contains information about the rights of natural persons, with regard to the Personal Data they have provided.
The Controller has appointed a data protection officer (DPO) who can be contacted via e-mail at: email@example.com in any matter regarding the processing of personal data.
- Controller – Moicon AS based in Kapp, 2849, Fabrikkvegen 52, Norway;
- Data Subject – identified or identifiable natural person visiting the Website, ordering the Services or performing the Agreement on behalf of the company or other organization. Identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Website – any website maintained by the Controller on stationary and mobile terminal devices through which the Controller provides their Data Subjects with content, digital or electronic files, and / or Services specified in each case in the Website’s Regulations;
- Personal Data – any information relating to the Data Subject;
- Order System - a separate part of the Services, through which the Controller conducts the Sale of Services on the principles specified each time in the Website’s Regulations;
- Agreement - service agreement concluded in an electronic form for the Website Services or for the MOICON Software Services respectively;
- Services - services provided by the Controller to the Data Subjects including Website Services and/or MOICON Software Services respectively;
- Payment Operator - payment institutions within the meaning of the Norwegian law, which cooperates with the Website;
- Payment Order - debiting the company’s or other organization’s, represented by the Data Subject, bank account or payment card confirmed by the Payment Operator with an amount specified in the Order;
- GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
What info do we collect?
3. Processing and Protection of Personal Data
3.1. Collection and processing of the personal data
In connection with the Data Subject’s use of the Website, the Controller collects data to the extent necessary to provide individual Services offered on the Website, as well as information about the Data Subject’s activity on the Website.
By collecting any Personal Data, the Controller determines where they were obtained.
The Personal Data is obtained directly from the Data Subject through:
- forms filled out online – information is collected through forms available on the Controller’s Websites for contact purposes, submitting questions, submitting applications, submitting files and expressing comments;
- contact outside the Website – on the Controller’s Websites, there are telephone and fax numbers as well as e-mail addresses at which the Data Subject can contact the Controller;
- telephone contact – conversations with the Controller’s representatives at the numbers indicated on the Controller’s Websites may be recorded. In such a case, the Data Subject will be always informed about it and their consent must be obtained;
- data on network traffic and statistics on the frequency of visits to the Controller’s Websites – a record of information on traffic data, which is automatically recorded by our server, is kept – the Data Subject’s IP address, URL visited before visiting our website, URL visited after visiting our site and pages visited. Statistics on the number of visits to the site and page views are also collected. The Controller is not able to directly determine the Data Subject’s identity based on the traffic data and statistics about the use of the Website;
- when using the resources of Websites managed by the Controller – information about the Data Subject is collected through cookies (only strictly necessary cookies are required).
The detailed rules and purposes of processing the Personal Data collected during the Data Subject’s use of the Website are presented below.
3.2. The purposes and legal grounds for data processing
3.2.1 Use of the website/services
The Personal Data of all natural persons using the Website (including their IP addresses or other identifiers and information collected via cookies or any other similar technologies) are processed by the Controller for the following purposes:
- in order to electronically provide the Services and to conclude the Agreements, which includes also the Sale of the MOICON Software Services – in such a case, the legal basis for processing involves necessity to process the Personal Data in order to take steps at the request of the Data Subject prior to entering into a contract and to perform a contract (Article 6(1)(b) of the GDPR);
- in order to comply with the Controller’s legal obligations resulting in particular from accounting policies and tax related regulations (Article 6(1)(c) of the GDPR). The provision of the Personal Data is a statutory requirement;
- for communication purposes – in such a case Personal Data are processed to pursue the Controller’s legitimate interests (Article 6(1)(f) of the GDPR). Personal data are provided on a voluntary basis, but the provision thereof is necessary to receive a reply from the Controller. In such a case, the Personal Data are processed due to the Controller’s legitimate interests. The Controller’s legitimate interests consist in communicating with the Data Subject who requests of the Controller to provide an answer. Determining the legitimate interest will be preceded by performing a balance test of the Service Provider's interest and the Data Subject's interest;
- for analytical and statistical purposes – in such a case, the legal basis for processing involves the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in conducting analyses of the Data Subject’ activities as well as their preferences, in order to improve functionalities and Services provided. Determining the legitimate interest will be preceded by performing a balance test of the Service Provider's interest and the Data Subject's interest;
- in order to possibly determine, investigate or defend against claims – the legal basis for processing involves the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), consisting in the protection of its rights. Determining the legitimate interest will be preceded by performing a balance test of the Service Provider's interest and the Data Subject's interest;
- for marketing purposes of the Controller and/or other entities, in particular related to the presentation of behavioural advertising. The Personal Data are processed on the basis of consent of the Data Subject (Article 6(1)(a) of the GDPR), and in the case of direct marketing – also to pursue the Controller’s legitimate interests (Art. 6(1)(f) of the GDPR). The Personal Data are provided on a voluntary basis. The Data Subject may withdraw their consent at any time – without affecting the lawfulness of processing prior to the withdrawal. In case of sending the Controller’s commercial information, a legal basis for processing, involves the Controller’s legitimate interest. The Controller’s legitimate interest consists in carrying out direct marketing activities. Determining the legitimate interest will be preceded by performing a balance test of the Service Provider's interest and the Data Subject's interest;
- the Data Subject’s activity on the Website, including their personal data, is recorded in system logs (a special computer programme used to store a chronological record containing information about events and activities related to the IT system used to provide Services by the Controller). The information collected in the logs is processed primarily for purposes related to the provision of Services. The Controller also processes the data for technical and administrative purposes, for the purposes of ensuring IT system security and management, as well as for analytical and statistical purposes – in this case, the legal basis for processing involves the legitimate interest of the Controller (Article 6(1)(f) of the GDPR). Determining the legitimate interest will be preceded by performing a balance test of the Service Provider's interest and the Data Subject's interest.
3.2.2 Keeping your data secure
How we keep your data secure?
At MOICON, we value your privacy and the confidential nature of your information, so we take the following precautions:
- we do not keep backup of uploaded files for more than 30 days - they are automatically deleted after 30 days;
- your files are encrypted both at rest and in transit;
- files are kept in an encrypted disk, separate from the main server.
Our service is built on several cloud service providers, including Amazon Web Services (AWS), Linode. Those providers come up with robust security mechanisms to protect our infrastructure.
All communications are performed through end-to-end HTTPS encryption. We frequently and consistently review our SSL configuration and make appropriate updates in the unlikely case new SSL vulnerabilities are discovered. Our inbound and outbound traffic is monitored and controlled using web application firewalls Cloudflare which also protect us from Distributed Denial of Service (DDoS) attacks. Our servers are secure using Fail2Ban, Firewalls, and port blocking software. We use separate environments for testing and production.
Protection Against Data Loss
We regularly make backups of MOICON's databases and full-disk image of MOICON’s servers (excluding uploads). These backups are saved and encrypted on storage services off-site, then systematically tested for integrity. Sensitive data like passwords or credit card numbers are never logged.
Your Credit Card Data are Safe
MOICON does not transmit or store your credit card information on our servers. This shall mean your credit card data are securely submitted directly from your browser (without touching our servers) to a leading, fully PCI-compliant (PCI Service Provider Level 1) payment provider. Your credit card data are never stored on our servers.
Please send urgent and/or sensitive security reports directly to firstname.lastname@example.org. Please let us know how we can securely contact you.
How can the Personal Data be changed?
The Data Subject has the right of access to content of their Personal Data and the right of rectification and erasure of the Personal Data, the right to restrict processing of the data and the right to data portability. Further, the Data Subject has the right to object to the processing of the Personal Data, for instance if the Controller profiles the Data Subject’s data. The Data Subject who has given consent to the processing of the data has the right to withdraw their consent at any time without affecting the lawfulness of processing carried out on the basis of the consent prior to the withdrawal. To this effect, the Data Subject can contact the Controller at the e-mail address: email@example.com. The Data Subject can contact the Controller also otherwise as preferred, including verbally and in writing at the Controller’s address.
How long will the Personal Data be processed?
With regard to the provision of:
- the Services on the Website - the Personal Data will be processed for as long as the Website Services are provided;
- the MOICON Software Services - the Personal Data will be processed for as long as the MOICON Software Services are provided;
- the Services available against Payment - the Personal Data will be processed until the Payment is settled and for a period of five years from the end of a calendar year when a transaction has been conducted, subject to a different legal requirements;
except for the Personal Data to the processing of which the Data Subject has given separate consent or there exists another basis for processing thereof (such a Personal Data may be processed for a longer period).
With regard to:
- communication with the Data Subject - the Personal Data will be processed for a period necessary to provide the Data Subject with a satisfactory answer;
- analytical and statistical purposes - the Personal Data will be processed for 30 days;
- potential legal claims - the Personal Data will be processed until any potential legal claims are time-barred;
- marketing purposes of the Controller and/or other entities - the Personal Data will be processed until consent is withdrawn or an objection is effectively raised;
- Data Subject’s system logs - the Personal Data will be processed for 30 days.
Upon the lapse of a processing period, the Personal Data are permanently deleted or anonymised.
Other personal data processing related rights of the Data Subjects
The Data Subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of an alleged infringement, if a data subject considers that the processing of personal data relating to him or her infringes the Regulation or if they consider that their Personal Data are processed in breach of mandatory rules of law.