Privacy Policy
Private clients and corporate personal representatives
24 Center AS, 1.10.2025
This statement explains the processing of personal data in accordance with the EU General Data Protection Regulation (679/2016).
Data controller
24 Center AS
Org. no.: 927 237 652
Address: Østensjøveien 43, 0667 OSLO
Contact person for questions about privacy
Tommy Ekhorn (Head of Scandinavia)
Tel. +46 73 42 25 398
Email: [email protected]
The data subject is recommended to contact the above-mentioned contact person in all questions concerning the processing of personal data and in situations concerning the exercise of their personal rights.
The basis and purpose of the processing of personal data
The legal basis for processing personal data is:
- Agreement between the data subject and the controller
- The legitimate interest of the controller, based on a customer relationship between the data subject and the controller
- The data subject's consent to the processing of personal data
The purposes of processing personal data include the provision of services, maintaining customer relationships and partnerships, and marketing (with the consent of the data subject).
Personal data processed
The controller only collects personal data from data subjects that are relevant and necessary for the purposes described in this privacy policy.
The following information is processed about data subjects:
Customer contact information
Name, telephone number, email address, address, any coordinates, company name and organization number, contact information for corporate customer representatives (name, position, email, telephone number).
Identification and billing information
Social security number, date of birth, billing addresses (postal address, email address and e-invoice address), account number, tax-related information, invoice references.
Information related to customer orders
Description and instructions about the object (e.g. location, door code, registration number, recipient information), order content, service type and price, order status, timestamps and processing steps.
Communication information
Phone recordings, chat messages, email messages, message logs, customer and partner feedback, complaints, customer satisfaction information, information related to loyalty programs, marketing sources (e.g. promotions, website, search engines).
Technical and system-related information
Usernames, identifiers, timestamps for integrations and data transfers (e.g. HubSpot, Tracklution), publishing and dissemination information, log information, identifiers used in customer and partner systems, attachments (e.g. agreements, reports, invoices, order confirmations).
Disclosure of personal data
As a general rule, personal data is not disclosed to third parties. However, information may be provided to the following recipient groups:
- Service providers and subcontractors who provide IT services, customer communication, financial management, marketing and other support services for 24 Center AS (e.g. accounting and billing services, maintenance of websites and computer systems, communication and SMS services).
- Partners to whom the customer's order is communicated in order to deliver the service (e.g. installers and contractors). The partners only receive the information necessary to perform the assignment.
- Authorities and other actors to which 24 Center AS is obliged by law to disclose information (e.g. tax authorities, police or courts).
Data processing agreements have been entered into with all partners and service providers who process personal data, to ensure that the processing only takes place in accordance with instructions from 24 Center AS and applicable legislation.
Personal data is generally not transferred outside the EU or EEA. If a transfer is necessary (e.g. via a technical service provider), the controller ensures appropriate security measures (such as EU standard contractual clauses).
Protection of personal data
The controller processes personal data in a manner that ensures the confidentiality and integrity of the personal data, including protection against unlawful processing and accidental loss, destruction or damage.
Appropriate technical and organizational security measures are used to ensure this purpose, including the use of firewalls, encryption technology and secure premises for equipment, appropriate access control, careful handling of user names for information systems, and guidance of employees involved in the processing of personal data.
All employees who process personal data are subject to confidentiality obligations in accordance with employment agreements and separate confidentiality agreements that supplement these.
Data retention period
The controller processes personal data for the period necessary to fulfill the agreed service assignment and for the entire duration of the customer relationship. The customer relationship begins for one-time customers when the customer orders a service from 24 Center AS and ends when the customer or 24 Center AS requires it. For contract customers, the customer relationship applies for the entire duration of the contract.
When the customer relationship has ended, the personal data will be deleted or anonymized in accordance with the controller's deletion procedures no later than 1 month, unless there is another legal basis for continued storage.
Legislation (e.g. the Norwegian Accounting Act (2004 No. 73) and the Norwegian Tax Administration Act (2016 No. 14)) requires that certain personal data be stored for up to 5 years after the end of the financial year. In practice, some businesses may retain the data for up to 7–10 years for reasons of documentation requirements and possible legal obligations.
If the data subject has given their consent to the information being used for marketing purposes, the information may be stored for up to 10 years from the date it was collected, unless the data subject withdraws their consent before this.
The controller may also archive data to meet customer service and legal obligations. Archiving is carried out in a manner that ensures that access to the data is limited and adequately protected.
The controller reviews annually whether there is a valid legal basis for the storage of personal data and deletes data that is no longer necessary. The data subject has the right to request the deletion of their data if there is no other legal basis for the processing.
Profiling
The processing of personal data includes profiling. Profiling means automated processing of personal data, where certain personal characteristics of the data subject are assessed using the data. The data subject is profiled so that direct marketing and other communications can be better tailored to their interests. The data subject can opt out of telemarketing and marketing through the Reservation Register.
The rights of the data subject
Right to access
The data subject has the right to obtain confirmation as to whether their personal data is being processed and, if so, the right to obtain a copy of their personal data.
Right to rectification
The data subject has the right to request that incomplete or incorrect personal data concerning them be corrected. The data subject also has the right to supplement incomplete personal data by submitting necessary additional information.
Right to erasure
The data subject has the right to request the deletion of their personal data if:
a. personal data are no longer necessary for the purposes for which they were collected,
b. the data subject withdraws the consent on which the processing is based, and there is no other legal basis for the processing, or
c. personal data has been processed unlawfully.
Right to restriction of processing
The data subject has the right to restrict the processing of their personal data if:
a. the data subject disputes the accuracy of the information,
b. the processing is unlawful, but the data subject opposes erasure and requests restriction of use instead, or
c. the controller no longer needs the personal data for the original purposes, but the data subject needs them to establish, exercise or defend a legal claim.
Right to protest
The data subject has the right to object at any time to the processing of personal data on grounds relating to their particular situation.
The controller may no longer process the data subject's personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or if it is necessary for the establishment, exercise or defence of legal claims.
If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of his or her personal data for such marketing, including profiling related to direct marketing.
Right not to be subject to automated decisions
The data subject has the right not to be subject to a decision based solely on automated processing, such as profiling, which produces legal effects or similarly significantly affects the data subject.
This does not apply if the decision is necessary for entering into or fulfilling a contract between the data subject and the controller, or if it is based on the data subject's express consent.
Right to withdraw consent
The data subject has the right to withdraw his or her consent to the processing at any time, without affecting the lawfulness of the processing previously carried out on the basis of the consent.
Right to data portability
The data subject has the right to receive his or her personal data and the information he or she has provided in a structured, commonly used and machine-readable format, and the right to transmit this data to another controller.
Right to complain to the supervisory authority
The national supervisory authority for matters concerning personal data in Norway is the Norwegian Data Protection Authority. You have the right to bring the matter to the Norwegian Data Protection Authority if you believe that the processing of your personal data violates applicable legislation.
Change to the privacy policy
The controller is continuously developing its business and may therefore need to amend and update its privacy policy as necessary. The amendments may also be based on changes in data protection legislation.
If the changes include new purposes for the processing of personal data or the statement is otherwise significantly changed, the controller will notify this in advance and, if necessary, obtain consent from the data subjects.