Personal data refers to any information that can be directly or indirectly linked to a physical person. This can include name, residential address, phone number, email address, vehicle registration number, type of residence, etc., as long as the information is connected to an individual.

Any collection, registration, compilation, storage, and disclosure of personal data is referred to as the processing of personal data. The entity that determines the purpose and means of the processing is called the data controller. The data controller must ensure that the processing of personal data complies with applicable laws. When Data Factory collects data from publicly available sources, Data Factory is the data controller for the subsequent use of the information.

If Data Factory assists our customers with updating and/or quality assurance of their personal data, we act as a data processor on behalf of the customer. In these cases, a data processing agreement will always be established.

At Data Factory, the CEO is responsible for the processing of personal data. We have also appointed a Data Protection Officer (DPO). The DPO's task is to ensure that Data Factory complies with the Personal Data Act and GDPR and to serve as a resource for both Data Factory and data subjects regarding the processing of personal data.

Data Factory primarily collects personal data from publicly available sources. We obtain personal data from the Reservation Register, the Property Register, the Motor Vehicle Register, the Shareholder Register, the Business Register, and telecommunications providers. We clean and quality-assure these records against the National Population Register and the Postal Address Register.

The categories of data processed include:

• Contact data - name, address, postal code/city, phone number
• Identification data - date of birth, gender, and age
• Unique identification data - national ID number and Digipost ID
• Status - deceased, emigrated, reserved, and roles
• Object data - ownership of properties, vehicles, and shares
• Statistical and demographic data - including data from Statistics Norway (SSB)

We store information when you contact us, such as by sending an email or providing feedback through service functions, so we can respond to your inquiries. We also store data/information that you enter in comment fields, forms, or similar on our pages. This information is kept to respond to your specific request.

Data Factory offers various services within the field of data quality. Based on this, we use the collected information for the following purposes:

• Directory inquiry - the purpose is to provide a person's contact details upon request by searching for a name, address, or phone number.
• Data quality - the purpose is to ensure that customer records are accurate and up to date. The processing verifies, corrects, updates, and enriches data based on the customer's needs and legal basis.
• Rental of contact data - the purpose is to assist our customers in their sales and marketing activities. Data is rented for a limited time while complying with reservations and legal requirements.
• Development of statistical variables - based on public data, Data Factory has developed statistical variables used for analysis and segmentation without linking them to individuals.
• Competitions - we may store necessary contact details in connection with competitions, which are deleted once the competition has ended.

Data Factory mainly processes personal data based on Article 6 - paragraph 1 (f) of the GDPR, referred to as 'legitimate interest.'

According to GDPR Article 6(1)(f), processing is lawful when it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, particularly if the data subject is a child.

Data Factory's assessment is that the purposes for which the data is used - directory inquiry, analysis, data quality, and direct marketing - are necessary for each business. The processing is limited to information from publicly available sources and only to what is necessary for the purpose.

For the company's directory inquiry services, the processing is also based on the E-communications Act and related regulations.

Data Factory has developed a set of statistical variables. These have been created by compiling personal data from various public data sources. The result is a set of variables at an anonymous and aggregated level. The variables are linked to geographic areas, age, or gender. The variables may suggest certain characteristics based on residence, age, or gender - but will always remain statistical and never be linked to an individual person. The variables themselves are not considered personal data under the GDPR. Data Factory has developed these variables to support our customers' business processes.

Data Factory shares personal data with our customers as described under our products and services and elsewhere in this privacy policy. We enter into agreements with the parties we share data with, which restrict the use of the information and establish obligations to comply with applicable data protection legislation.

Categories of customers Data Factory receives and delivers personal data to include:

• Energy companies
• Banking, financial, and insurance companies
• Car importers, dealerships, and workshops
• Transportation companies
• Hotel and restaurant industries
• Retail and e-commerce businesses
• Public authorities
• Interest organizations
• Various service companies

If required by law, or if there is suspicion that a criminal offense has been committed in connection with the use of our services, the information we have stored about you may be disclosed to public authorities.

Data Factory's clear position is that we do not process personal data about individuals under the age of 18. We never rent out data about individuals under 18 for marketing purposes. However, we process personal data of individuals under 18 in two cases: when providing data to market and opinion research institutes that may contact individuals from the age of 15, and when receiving data about individuals under 18 from public telecommunications providers for directory inquiry purposes.

Data Factory stores all processed data with Microsoft - Azure. Parts of our internal control and the safeguarding of stored data are handled by Microsoft. We do not store personal data longer than necessary to fulfill the purposes of processing and our legal obligations.

It is important that the information we have about you is accurate and up to date. If you discover any errors, we encourage you to contact the source directly - such as the Reservation Register, National Population Register, Property Register, Vehicle Register, Shareholder Register, Role Register, your telecom provider, or the Postal Address Register - or to contact us directly. Correcting data at the source ensures that updates remain accurate everywhere.

If you wish to see what information we have registered about you or to opt out of having your data used for sales, marketing, directory services, or data quality services, you can use our self-service portal: https://insight.datafactory.online/. Here you can also download a copy of your registered data as a zipped file.

You can request that your data be deleted and no longer used in Data Factory´s products. We fully respect such requests. However, we must retain minimal information to prevent future processing when updates are received. To request deletion, contact privacy@datafactory.no.

We may periodically update this privacy policy to reflect any changes in our framework conditions or products. In the event of significant changes, we will provide specific information in the affected products.

The Data Protection Authority supervises compliance with regulations in Norway. You have the right to file a complaint with the Authority if you believe that Data Factory is processing personal data incorrectly.

If you have any questions about our processing of personal data or this privacy policy, please contact us at privacy@datafactory.no