Processing of personal data about customers, partners and advertisers in connection with advertising and corporate subscription sales (B2B)

 

1. Information on the processing of personal data and the controller

Schibsted Media AS and Schibsted News Media AB collects and processes personal data about our customers, partners and employees of our advertisers in connection with advertising sales. We are committed to handling your data securely and in accordance with legal requirements, as well as the expectations of our advertisers. Schibsted Media AS  is responsible for the processing of personal data described here for Schibsted’s advertising  and B2B sales activities in Norway, while Schibsted News Media AB is responsible for Schibsted’s advertising and B2B sales activities in Sweden and Finland.

This privacy policy concerns the processing of personal data in connection with Schibsted’s advertising sales, including form submissions and analytics on advertising.schibsted.com, and does not include the processing or collection of personal data relating to users on consumer oriented Schibsted websites. To learn more about how we collect and manage the user’s personal data, please visit our privacy policies, which you can find here.

The information in this document is structured to ensure compliance with the General Data Protection Regulation  (GDPR)’s requirements for information and transparency.

 

2. Collection and processing of personal data in Schibsted’s advertising business

The personal data Schibsted collects in connection with the advertising business is mainly used to carry out the sales process and the agreement with the customer, and to maintain contact with our active customers. This could mean that we store names and phone numbers in order to follow up a customer contact after a sales meeting, and that we process personal data in connection with order tracking and invoicing. Another example is that we store contact information for a person who works for a company that is a customer of Schibsted. More detailed information on the purposes of processing personal data can be found below.

Schibsted also stores personal data in order to have a complete accounting basis in accordance with the Accounting Act, e.g. names of customer references stored in invoices.We collect personal data in the following ways:

  1. When a person completes one of our contact forms online
  2. When a person downloads a report from a B2B website
  3. When a person is in contact with our sellers or partners to buy advertising
  4. By gathering data on contact persons on companies’ websites or publicly available sources such as Gulesider/Eniro.
  5. From a third-party data provider, such as Dun & Bradstreet (data provider that collects business information from business registers and supplement it with data from other public sources)
  6. By attending our events

When we receive the data directly from an individual, a link to this privacy policy will be available when the data is collected. For all processing of personal data as described in this privacy policy, the customer and the contact person are registered in our customer system. When registering contact persons, an email is sent immediately to their email address with a link to this privacy policy. When data is not collected directly from the individual, information about our processing of personal data is easily accessible online via this Privacy Policy.

 

3. Categories of personal data we process

The information below lists a complete overview of the personal data collected in connection with Schibsted’s advertising activities. The personal data collected will vary based on whether you are in contact with us as a private person or whether you are acting on behalf of a company.

  • Name: The name of the customer, or the name of a contact person at a company that is a customer, agency or partner of Schibsted.
  • Telephone number: Telephone number of the customer or a contact person of a company that is a customer (advertiser) at Schibsted.
  • E-mail address: E-mail address of the customer or of a contact person of a company that is a customer (advertiser) at Schibsted.
  • Function / Role: Function and role of a contact person at a company that is a customer (advertiser) at Schibsted.
  • Employer: Customer / Affiliate / Advertiser who is the company a contact person represents.
  • Organisation number: Organisation number for a single company.
  • Meeting notes: Notes from meetings and conversations with our sales people.
  • Address: Customer’s address (advertiser).
  • E-mail correspondence: E-mail containing personal data that you have sent or received via your e-mail address.
  • Information on response to newsletters and invitations: When sending out newsletters and invitations, any response that the recipient registers is stored, as well as information on when and how many times the newsletter / invitation was read.
  • Events: Overview of which events a person has signed up for, any allergies (voluntary to provide) and if the person has attended the event.
  • Purchase history: History of the products that have been purchased, as well as the time and price.

 

4. Storage time

Personal data is stored for a certain period of time and then deleted. The types of data stored and their retention period are described in the information below.

  • Customer card: Companies from Brønnøysund and/or Dun & Bradstreet are stored and maintained in the system, including contact information at these companies. 24 months after the last activity or turnover of the customer, only a subset of data is retained for another 12 months before all data is deleted.
  • Name and any other information regarding the customer and contacts in the CRM system: When a customer is deemed passive(see above), meaning there has been no turnover or activity for the past 24 months, only a subset of personal data on the customer card, including details of associated contacts, will be retained. After 12 months on a passive status, all personal data is deleted. When personal contact information for a contact person is obtained from public sources (e.g. a corporate website) and the customer is not an active customer, the contact details will be deleted within 3 months of collection. This applies to cases where we work with a potential customer. If a customer relationship is established, the usual deletion time as described above applies. If a contact specifically requests to be deleted, we will delete both the contact and all associated information about that contact.
  • Primary documentation according to the Accounting Act: 5 years
  • Secondary documentation according to the Accounting Act: 3,5 years
  • Meeting notes and other customer-related notes: Notes related to the customer (company) are maintained as long as the customer exists in the system. Contacts-only notes are deleted when the contact is deleted.
  • Booked meetings: Booked meetings related to the customer (company) are maintained as long as the company exists in the system. Bookings associated with contacts are only deleted when the contact is deleted.
  • Information on response to newsletters and invitations, as well as registration / participation in events: The information is related to the contact person who received the newsletter / invitation. This is whether the recipient opened the newsletter and possibly links in the newsletter that were clicked on. For invitations, information is stored about which events the recipient signed up for, and whether the person participated. This information is maintained as long as the contact person is maintained. When the contact is deleted, this information is also deleted (see section on personal data above). Responses to surveys are maintained with the respondent for 30 days, and then the response is anonymized.

A customer is considered active if the customer has made a purchase within the past 24 months or has an ongoing or planned engagement.

After that, the customer is considered passive, but a limited set of  personal data may be retained for a limited period for follow-up and potential re-engagement. If no further purchase or engagement occurs, all personal data is deleted within 12 months after the customer becomes passive.

 

5. Purpose and legal basis for processing personal data

Whenever personal data is processed, a legal basis for the processing is required. The GDPR provides several alternative legal bases. The information below provides an overview of the personal data Schibsted collects, the purpose for which it is used, and the basis for the processing.

Handle advertising orders purchased through our salespeople or companies using our advertising system

  • Personal data: Name, organization number, telephone number, address, e-mail address, e-mail correspondence, purchase history.
  • Legal basis: Legitimate interest (customer is a company) and contract (customer is an individual). The processing is necessary for us to fulfill the agreement with the customer, e.g. to be able to contact the right people of our customer.

 

Invoice individual companies and individuals, we need to store information about the buyer

  • Personal data: Name, organization number, telephone number, address, e-mail address, purchase history.
  • Legal basis:Legitimate interest (customer is a company), contract (customer is an individual) and legal obligation.Processing of customer data is done to be able to send invoices (including ad billing) and to fulfill the agreement with the customer. Data is also processed to fulfill our requirements under accounting and bookkeeping obligations. For affiliate marketing: We track end-users clicks and IP addresses leading to affiliate partners to be able to invoice our services as agreed in the agreement with the affiliate partner.

 

Manage and store e-signed agreements

  • Personal data: Name, organization number, e-mail address, e-mail correspondence, purchase history.
  • Legal basis:Legitimate interest (customer is a company) and contract (customer is an individual). The processing is necessary for us to fulfil the agreement with the customer, e.g. to be able to contact the right people of our customer.

 

Follow up the customer and manage the contractual agreement

  • Personal data: Name, telephone number, e-mail address, role and function, employer, meeting notes, address, e-mail correspondence, purchase history.
  • Legal basis: Legitimate interest (customer is a company) and contract (customer is an individual). The processing is necessary for us to fulfill the agreement with the customer, e.g. to be able to follow up the customer and manage the contractual agreement.

 

Credit checks (for corporate customers only)

  • Personal data: Name, organization number.
  • Legal basis: Legitimate interest. The processing is necessary for our legitimate interest in ensuring that our customers pass necessary credit checks.

 

Fulfill the requirements of the Accounting Act

  • Personal data: Name of company / private person and possible, organization number, telephone number, e-mail address, invoice address, the nature and extent of the benefit, the time and place of delivery of the benefit, as well as other statutory invoice information, agreements, correspondence and order confirmations in accordance with the Accounting Act.
  • Legal basis: Legal obligation according to the Accounting Act.

 

Invite potential and existing customers and partners to events, we store contact information about the companies and employees of these companies with whom we are in contact

  • Personal data: Name, role and function, telephone number, e-mail address, employer, allergies, response to newsletters and invitations, registration and participation in previous events.
  • Legal basis: Legitimate interest (customer is a company) and contract (customer is an individual). Processing is necessary to invite customers and partners to events. We use the stored information to limit to whom invitations are sent, so that the invitation is most relevant to those who receive it.

 

Send newsletters

  • Personal data: Name, role and function, telephone number, e-mail address, employer, response to newsletters and invitations, registration and participation in previous events.
  • Legal basis: Legitimate interest (when there is an existing customer relationship), consent (when there is not an existing customer relationship). The processing is based on our legitimate interest in providing relevant information about our products to our customers.  We use the stored information to limit who we send invitations to, so that the newsletter is relevant to those who receive it. For example, an invitation to a follow-up course is only sent to those who participated in the initial course.

 

Website analytics – To analyse how our website is used and improve content, functionality and user experience

  • Personal data: IP address, device and browser information, usage data (such as pages visited and navigation patterns), cookie identifiers
  • Legal basis: We use analytics tools to understand how our website is used. Where required, this processing is based on your consent and carried out in accordance with our Cookie Policy.

 

Advertisements – to tailor advertisements for our B2B services based on web site usage and other information

  • Personal data: IP address, device and browser information, usage data (such as pages visited and navigation patterns), cookie identifiers.
  • Legal basis: Consent collected through the Cookie Banner

 

Store contact information about the companies and their employees in order to send out information and customer surveys to potential and existing customers and partners

  • Personal data: Name, role and function, telephone number, e-mail address, employer, response to newsletters and invitations, registration and participation in previous events.
  • Legal basis: Legitimate interest (when there is an existing customer relationship), consent (when there is not an existing customer relationship). The processing is necessary to be able to send information and surveys to whom it may be relevant for.