Privacy statement for Office 365 and Azure

Last update: January 12th, 2020

Privacy statement for Office 365 and Azure

Introduction 

This privacy statement applies to any processing of personal data for applications using DNV’s Office 365 and assets with Azure AD as the authentication provider. 

Personal data in this regard shall mean any information relating to an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. 

Processing shall mean any operation which is performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

What and how we process your personal data 

Office 365 provides several applications which you might be granted access to (e.g. Sharepoint, Teams, OneDrive). When you log in to an Office 365 application or another application using Azure AD as the authentication provider, we will automatically gather and store certain information  (i.e. your email address, IP address, device type, the browser used, the date and time of visit, pages visited). 

Within Azure AD we will be able to identify you so that we can give you access within the respective Office 365 application or others. The legal basis for this processing activity is Article 6 (1) 1 lit. b of the European General Data Protection Regulation (“GDPR”), as we will generally grant you access when a contract shall be executed or if we envisage to enter into a contract. 

Log Files 

DNV is collecting log files when using the applications to determine error situations and manage your guest membership account in Azure AD. 

Legal basis for this processing is Article 6 (1) 1 lit. f GDPR as it is our and the customer’s legitimate interest to get to know how their data is used. 

Automated decision making 

We do not use your personal data for automated decision making which produces legal effects concerning you or similarly significantly affects you. 

Recipient of your personal data 

Your personal data will be disclosed to the following parties: 

Group internal recipient 

Within the DNV company group, your personal data may be transferred to various entities of the DNV Group depending on which application you have been granted access to in the course of e.g. a project. DNV consists of DNV Group AS with subsidiaries (“DNV”). The legal basis for such transfer is DNV Group’s legitimate interest in the provisioning of shared custom support and administration as well as our company group’s legitimate interest to guarantee smooth operations between our entities for the purposes set out above. Personal data may be transferred outside of the country in which it was collected for. 

DNV is a Binding Corporate Rules (Controller) certified company and therewith personal data transferred to a third country outside the European Union / European Economic Area is subject to these. 

Third party recipients  

We engage third party companies and individuals who assist us in providing our services and products or support us with certain functions of these applications. Your personal data will be shared with the following categories of third parties and partly their sub-processors: 

The legal basis for this data transfer and processing activity is Art. 28 GDPR in conjunction with the data processing agreements we concluded with respective third-party companies. Therefore, our contractors will only use your personal data to the extent necessary to perform their functions and will be contractually bound to process your personal data only on our behalf and in compliance with our requests. 

We may disclose your personal data if legally entitled or required to do so (for example if required by law or by a court order). The legal basis for this processing is Art. 6 (1) 1 lit. c GDPR. 

International data transfer 

Within the scope of our information sharing activities set out above, your personal data may be transferred to other countries (including countries outside the European Union) which may have different data protection standards than your country of residence. Please note that data processed in a foreign country may be subject to foreign laws and accessible to foreign governments, courts, law enforcement, and regulatory agencies. However, we will endeavor to take reasonable measures to keep up an adequate level of data protection also when sharing your personal data with such countries. 

In the case of a transfer outside of the European Union, this transfer is safeguarded by the EU Standard Contractual Clauses. You can find further information about the aforementioned safeguards under: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en. 

Retention periods 

We strive to keep our processing activities with respect to your personal data as limited as possible. In the absence of specific retention periods set out in this policy, your personal data will be retained only for as long as we need it to fulfil the purpose for which we have collected it and, if applicable, as long as required by statutory retention requirements. 

Security 

We take market standard precautions to protect personal data. When our download form asks users to provide personal data, that personal data is encrypted and is protected with market standard encryption - SSL. While on a secure page, the lock icon in the top of web browsers such as Microsoft Internet Explorer is present.  

Unfortunately, no data transmission or processing can be guaranteed to be 100 % secure. Accordingly, despite our efforts to protect the personal data, DNV is not in a position to guarantee or warrant the security of the personal data. 

Data subjects’ rights 

You may be entitled to exercise some or all of the following rights free of charge:  

a. require (i) information whether your personal data is retained and (ii) access to and/or (iii) duplicates of your personal data retained, including the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed and where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;   b. request proper rectification, removal or restriction of your personal data, e.g. because (i) of the incomplete or inaccurate nature of the personal data, (ii) it is no longer needed for the purposes for which it was collected, (iii) the consent on which the processing was based has been withdrawn, or (iv) you have taken advantage of an existing right to object to the data processing; in case your personal data is processed by third parties, we will forward your request for rectification, removal or restriction also to such third parties unless this proves impossible or involves disproportionate effort;   c. receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from our side; where technically feasible you shall have the right to have the personal data transmitted directly from us to another controller,   d. refuse to provide and – without impact to data processing activities that have taken place before such withdrawal – withdraw your consent to processing of your personal data at any time;  e. object at any time that your personal data will be used for direct marketing purposes, or – based on grounds relating to your particular situation, that your personal data shall be subject to data processing for other purposes;   f. not to be subject to any automatic individual decisions (automatic decisions based on data processing by automatic means, for the purpose of assessing several personal aspects) which produce legal effects on you or similarly significantly affect you;   g. take legal actions in relation to any breach of your rights regarding the processing of your personal data, as well as to lodge complaints before the competent data protection regulators. 

Revision of the Privacy Statement 

DNV may change or update the privacy statement without notice. All such changes will take effect once they have been posted. It is your responsibility to monitor such updates. The privacy statement was last updated on the date stated at the beginning of this privacy statement. 

Contact Details 

If you are concerned about use of the data or have any questions regarding this privacy statement, please contact our data protection officer via dataprotection@dnv.com or by getting back to her using the same postal address as listed below. DNV regrets that only general queries about the privacy statement can be responded to via e-mail. 

We wish you a pleasant, enhanced user experience! 


DNV AS  

Veritasveien 1  

1363 Høvik  

Norway