1. Purpose, Scope and Accountability:

WML AS strives to comply with applicable laws and regulations related to Personal Data protection in countries where the company operates. This Policy sets forth the basic principles by which the WML processes the personal data of its employees, customers, suppliers, business partners and other individuals, and specifies the responsibilities of its business departments and employees while processing personal data.

This Policy applies to the Company and its directly or indirectly controlled wholly-owned subsidiaries conducting business within the European Union (EU) and the European Economic Area (EEA) or processing the personal data of data subjects within EU/EEA.

The persons accountable for complying with the principles and guidelines specified in this document are all employees, permanent or temporary, of WML and of all contractors working on behalf WML.

2.     Reference Documents:

• EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
• Lov om behandling av personopplysninger (personopplysningsloven – Norway)
• Forskrift om behandling av personopplysninger (personopplysningsforskriften – Norway)
• Implementation Act of the General Data Protection Regulation (the Netherlands)

3.     Definitions:

The following definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation:

Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject“) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Sensitive Personal Data: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Data Controller: The natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.

Processing: An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.

Anonymization: Irreversibly de-identifying personal data such that the person cannot be identified by using reasonable time, cost, and technology either by the controller or by any other person to identify that individual. The personal data processing principles do not apply to anonymized data as it is no longer personal data.

Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Pseudonymization reduces, but does not completely eliminate, the ability to link personal data to a data subject. Because pseudonymized data is still personal data, the processing of pseudonymized data should comply with the Personal Data Processing principles.

Cross-border processing of personal data: Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 of the EU GDPR (Datatilsynet in Norway and Autoriteit Personsgegevens in the Netherland).

4.     Basic Principles Regarding Personal Data Processing:

The data protection principles outline the basic responsibilities for organisations handling personal data. Article 5(2) of the GDPR stipulates that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

4.1.           Lawfulness, Fairness and Transparency:

Personal data must be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

 

4.2.           Purpose Limitation:

Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

4.3.           Data Minimization:

Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The Company must apply anonymization or pseudonymization to personal data if possible to reduce the risks to the data subjects concerned.

4.4.           Accuracy:

Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that personal data which are inaccurate are erased or rectified in a timely manner.

4.5.           Storage Period Limitation:

Personal data must be kept for no longer than is necessary for the purposes for which the personal data are processed.

4.6.           Integrity and confidentiality:

Taking into account the state of technology and other available security measures, the implementation cost, and likelihood and severity of personal data risks, WML must use appropriate technical or organizational measures to process Personal Data in a manner that ensures appropriate security of personal data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access to, or disclosure.

4.7.           Accountability:

Data controllers shall be responsible for and be able to demonstrate compliance with the principles outlined above.

5.     Building Data Protection into Business Activities:

In order to demonstrate compliance with the principles of data protection, WML shall build data protection into its business activities.

5.1.           Notification to Data Subjects:

See the Fair Processing Guidelines in section 6 below.

5.2.           Data Subject’s Choice and Consent:

See the Fair Processing Guidelines in section 6 below.

 

5.3.           Data Collection:

WML shall strive to collect the least amount of personal data possible. If personal data is collected from a third party, CFO must ensure that the personal data is collected lawfully.

5.4.           Use, Retention, and Disposal of Personal Data:

The purposes, methods, storage limitation and retention period of personal data must be consistent with the information contained in the Privacy Notice. WML must maintain the accuracy, integrity, confidentiality and relevance of personal data based on the processing purpose. Adequate security mechanisms designed to protect personal data must be used to prevent personal data from being stolen, misused, or abused, and prevent personal data breaches. WML’s CFO is responsible for compliance with the requirements listed in this section.

5.5.           Disclosure to Third Parties:

Whenever WML uses a third-party supplier or business partner to process personal data on its behalf, WML is obliged to ensure that this processor will provide security measures to safeguard personal data that are appropriate to the associated risks.

WML must contractually require the supplier or business partner to provide the same level of data protection. The supplier or business partner must only process personal data to carry out its contractual obligations towards WML or upon direct instructions from WML and not for any other purposes.

5.6.           Cross-border Transfer of Personal Data:

Before transferring personal data out of the European Union (EU) or the European Economic Area (EEA) adequate safeguards must be used including the signing of a Data Transfer Agreement, as required by the European Union and, if required, authorization from the relevant Data Protection Authority must be obtained. The entity receiving the personal data must comply with the principles of personal data processing set forth in Cross Border Data Transfer Procedure.

5.7.           Rights of Access by Data Subjects:

When acting as a data controller, WML is responsible for providing the Data Subjects with a reasonable access mechanism to enable them to access their personal data, and must allow them to update, rectify, erase, or transmit their Personal Data, if appropriate or required by law. This access mechanism is made available to the data subjects through the Data_Subject_Access_Request_Form.

5.8.           Data Portability:

Upon request, the Data Subjects have the right to receive a copy of the data they provided to the company in a structured format and to transmit those data to another controller, for free. WML is responsible to ensure that such requests are processed within 30 days after reception, are not excessive and do not affect the rights to personal data of other individuals.

5.9.        Right to be Forgotten:

Upon request, the Data Subjects have the right to obtain the erasure of its personal data. When WML is acting as a Controller, WML must take necessary actions (including technical measures) to inform the third-parties who use or process that data to comply with the request.

6.     Fair Processing Guidelines:

Personal data must only be processed when explicitly authorised by the WML’s CFO.

WML shall decide whether to perform the Data Protection Impact Assessment for each data processing activity according to the Data Protection Impact Assessment Guidelines.

6.1.      Notices to the Data Subjects:

At the time of collection or before collecting personal data  for any kind of processing activities, including but not limited to selling products, services, or marketing activities, WML’s CFO is responsible to properly inform the Data Subjects of the following: the types of personal data collected, the purposes of the processing, processing methods, the data subjects’ rights with respect to their personal data, the retention period, potential international data transfers, if data will be shared with third parties and of WML’s security measures to protect personal data. This information is provided through the WML’s Privacy Notice .

Where personal data is being shared with a third party, WML must ensure that the Data Subjects have been notified of this through the Privacy Notice.

Where personal data is being transferred to a third country according to Cross Border Data Transfer Policy, the Privacy Notice should reflect this and clearly state to where, and to which entity personal data is being transferred.

Where sensitive personal data is being collected, WML’s CFO must make sure that the Privacy Notice explicitly states the purpose for which this sensitive personal data is being collected.

6.2. Obtaining Consents:

Whenever personal data processing is based on the Data Subject’s consent, or other lawful grounds, WML’s CFO is responsible for retaining a record of such consent.  The CFO is responsible for providing data subjects with options to provide the consent and must inform and ensure that their consent (whenever consent is used as the lawful ground for processing) can be withdrawn at any time.

If the collection of personal data relates to a child under the age of 16, WML’s CFO must ensure that parental consent is given prior to the collection using a Parental Consent Form.

When requests to correct, amend or destroy personal data records are received, the CFO must ensure that these requests are handled within a reasonable time frame. The CFO must also record the requests and keep a log of these.

Personal data must only be processed for the purpose for which they were originally collected. In the event that WML wants to process collected personal data for another purpose, WML must seek the consent of its Data Subjects in clear and concise writing. Any such request should include the original purpose for which data was collected, and also the new, or additional, purpose(s). The request must also include the reason for the change in purpose(s). WML’s CFO is responsible for complying with the rules in this paragraph.

Now and in the future, WML’s CFO must ensure that collection methods are compliant with relevant law, good practices and industry standards.

The CFO is responsible for creating and maintaining a Register of the Privacy Notices.

7.     Organization and Responsibilities:

The responsibility for ensuring appropriate personal data processing lies with everyone who works for or with WML and has access to personal data processed by WML.

The Board of Directors makes decisions about and approves the Company’s general strategies on personal data protection.

The Chief Financial Officer (CFO) is responsible for:

• Managing the personal data protection program.
• The development and promotion of end-to-end personal data protection policies.
• Ensuring that all systems, services and equipment used for storing data meet acceptable security standards.
• Performing regular checks and scans to ensure security hardware and software is functioning properly.
• Passing on personal data protection responsibilities to suppliers.
• Improving suppliers’ awareness levels of personal data protection as well as ensuring a “flow down” of personal data requirements to any third party a supplier they are using.
• Ensuring that WML reserves itself a right to audit its suppliers and collaborators.

The Data Protection Advisor (DPA), together with WML’s CFO, monitors and analyses personal data laws and changes to regulations, develops compliance requirements, and assists business departments in achieving their Personal Data Objectives.

The Managing Director is responsible for:

• Approving any data protection statements attached to communications such as e-mails and letters.
• Addressing any data protection queries from journalists or media outlets like newspapers.
• Where necessary, working with the CFO to ensure that marketing initiatives abide by data protection principles.
• Improving all employees’ awareness of user personal data protection.
• Organizing personal data protection expertise and awareness training for employees working with personal data.
• End-to-end employee personal data protection, which must ensure that employees’ personal data is processed based on the employer’s legitimate business purposes and necessity.

8.     Guidelines for Establishing the Lead Supervisory Authority:

8.1.           Necessity to Establish the Lead Supervisory Authority:

Identifying a Lead supervisory authority is only relevant if the Company carries out the cross-border processing of personal data.

8.2.           Main Establishment and the Lead Supervisory Authority:

8.2.1.       Main Establishment of the Data Controller:

The top management of WML has identified WML in Oslo, Norway as its main establishment and thus Datatilsynet in Oslo, Norway as the lead supervisory authority.

8.2.2.       Main Establishment for the Data Processor:

When WML is acting as a data processor, its main establishment will be the place of its central administration (HQ) – in Oslo, Norway.

8.3       Response to Personal Data Breach Incidents:

When WML learns of a suspected or actual personal data breach, WML’s CFO must perform an internal investigation and take appropriate remedial measures in a timely manner, according to WML’s Data Breach Policy. Where there is any risk to the rights and freedoms of the Data Subjects, WML must notify the relevant data protection authorities without undue delay and, when possible, within 72 hours.

9.      Audit and Accountability:

WML’s CFO, together with the Data Protection Advisor (DPA), is responsible for auditing how well various departments of the company implement this Policy.

Any employee who violates this Policy will be subject to disciplinary action and may also be subject to civil or criminal liabilities if his or her conduct violates any laws or regulations.

10. Conflicts of Law:

This Policy is intended to comply with the laws and regulations in the place of establishment and of the countries in which WML operates. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.

11. Validity and Document Management:

This document is valid as of 10.05.2018.

The owner of this document is WML’s CFO, who must check and, if necessary, update the document at least once a year.