Privacy policy - Statsraad Lehmkuhl

1. Privacy Policy and Data Controller

This Privacy Policy informs you about how the Foundation Seilskipet Statsraad Lehmkuhl (SSSL) collects and uses personal data.

Foundation Seilskipet Statsraad Lehmkuhl’s address:

Skur 7, Bradbenken 2, 5003 Bergen, Norway

Contact Information: Phone: +47 55 30 178 00. Email: lehmkuhl@lehmkuhl.no.

Foundation Seilskipet Statsraad Lehmkuhl is the data controller for the personal data collected about you.

2. What is Personal Data

Personal data is any information that describes you or can be linked to you as an individual. This may include contact information (name, phone number, etc.), identification numbers (IP address, customer number, cookie ID, etc.), and information about actions or behavior (products you have purchased, pages you have visited, emails you have received, etc.).

SSSL places great emphasis on protecting the personal data entrusted to us. SSSL ensures careful handling of your data and complies with the laws and regulations arising from the General Data Protection Regulation (GDPR).

3. Why We Collect Personal Data, and the Purpose of It

3.1 Collection of Personal Data in Connection with Sailing Voyages

Most of our sailing voyages are booked well in advance. Personal data is necessary for both handling the booking at the office and on board the ship during the voyage. Therefore, personal data is temporarily stored in a database at SSSL.

After you disembark from a sailing voyage, all personal and contact information about you, as well as contact information about your next of kin, will be deleted within one year.

SSSL does not store personal data longer than necessary for the purpose for which it was provided or as required by law.

For participation in sailing voyages (not applicable to coastal cruises and/or activities on board when the ship is docked), we will request the following personal information:

First name, last name, middle name
Date of birth
Gender
Address
Phone number
Email address
Passport number and expiration date (for voyages abroad)
Allergies and dietary needs
Health status and medication use relevant to the voyage
Information about next of kin
First name and last name
Phone number
Any flight information
Information about relevant health conditions/medication use is shared with our ship’s doctors, who are bound by confidentiality.

Contact information for your next of kin: We assume that you will inform the person that you have shared their contact information with us. We will only use the contact information in case of an emergency.

3.2 Statistics for Website Improvement and Marketing Communication

We collect and analyze data on how you and other users use the website. The purpose of this is to understand how the website is used, so we can improve our content and our products/services based on this insight.

What Data: Behavioral data (which pages you visit, what you click on, etc.), data about your device (type of computer/mobile phone, operating system, browser, etc.), data about your network and location (derived from IP address). All data is linked to an anonymous ID number stored in a cookie in your browser (read more about cookies).

Legal Basis: Legitimate interest. We derive significant value from collecting and analyzing this data, and we assess that it does not pose a significant burden on your privacy as long as the information is not linked to other information sources and contact details.

How We Process Personal Data: We use Google Analytics to collect this data from your browser. The data is stored on Google’s servers but owned by us. It is not linked to other tools or sources unless you have given consent (see other purposes). To minimize the impact on privacy, the IP address is stored only in anonymized form (read about IP anonymization), and we set the cookie expiration time that identifies you to a maximum of 7 days. Once the cookie has expired, the data will no longer be linked to you as a person. Additionally, all individual data will be automatically deleted by Google Analytics after 14 months.

3.3 Conversion Tracking for Advertising

We measure the results of our marketing by reporting how many contacts and sales result from a marketing campaign. The purpose is to optimize and streamline our marketing.

What Data: That you have performed a specific action on our website and from which source you accessed our website. Also linked to all other data collected for statistics (see above).

Legal Basis: Legitimate interest. This data processing enables us to use our resources most efficiently and save both effort and money on actions that do not yield results. In cases where data collection cannot be conducted without linking data to other information from third parties, we rely on your active consent.

How We Process Personal Data: The data processing follows the same principles as for general statistical purposes. Based on legitimate interest, we collect and process data in Google Analytics, and we send data to Google Ads using Consent Mode (data is sent without cookie information). If you have consented to “marketing,” we send data to Google Ads in the usual way, as well as to Facebook, Bing, and any other advertising providers (more about advertising below).

3.4 Targeted Advertising

We collect data about your behavior on our websites and share this with various advertising providers (data processors) to achieve more precise targeting of advertisements.

Legal Basis: Consent, which you give by accepting “marketing” as a purpose (or “all”) when you visit our websites.

How We Process Personal Data:

Data is collected from your browser when you visit our sites and sent to storage and processing with the advertising provider. We use several different providers, including Google Ads, Google Marketing Platform, Facebook, Microsoft Bing, LinkedIn. Subsequently, you are placed in various “audiences” with these providers, enabling us to buy advertisements from them that you see when you visit other websites in their network. Therefore, you will often see ads for Synlighet in many different places after you have visited our sites. Data about you is also included in your general profile with the provider and is used to describe your interests and estimate other characteristics about you (profiling). If you have provided contact information or other personal information to the provider (e.g., Facebook), the data is also linked to this. This forms the basis for other advertisers than Synlighet using the same ad network to buy ads with more precise targeting. The consequence for you is that the ads you see are more tailored to you and your situation. To avoid data about your behavior on our sites being used in this way, you can choose not to consent to the use of cookies for “marketing.” To avoid advertisers collecting such data and using it to create a profile on you, you can either delete/reject all cookies in your browser or edit your settings with the provider. Here are links to how you can do this with Google, Facebook, and LinkedIn.

3.5 Transfer of Personal Data to Recipients in Countries Outside the EEA

Our goal is to ensure that all personal data processing occurs within the EEA, but we may use suppliers or process personal data outside the EEA. In such cases, transfer and processing outside the EEA will occur in countries approved by the European Commission or in accordance with valid legal grounds for transferring personal data under GDPR Chapter V. If the transfer does not occur to countries approved by the European Commission, the transfer will only take place according to the guarantees set out in GDPR Article 46 (2). You can obtain information about the basis used for the transfer by contacting us. Both the providers we use for advertising and analysis (such as Google, Facebook, etc.) are aware of the challenges and requirements resulting from the “Schrems II” ruling, and we are working to find good solutions to this.

4. Your Rights

Below are your rights as a data subject. To exercise your rights, you must [fill in how the data subject must proceed, e.g., contact us, see contact information above].

We will respond to your request as soon as possible and no later than 30 days. If it takes longer than 30 days, you will be notified.

We may ask you to confirm your identity or provide additional information before we allow you to exercise your rights with us. We do this to ensure that we only give access to your personal data to you – and not to someone pretending to be you. When it comes to information collected based on your identification using cookies, such confirmation may be difficult. Therefore, we cannot give you access to this information other than in general terms, or make changes or deletions. If you delete cookies in your browser, the information we have stored will no longer be linked to you.

4.2 Information

You have the right to receive information about the personal data we process about you. Through this declaration, we inform you about our processing of personal data. You can also contact us if you want more information.

4.3 Access

You have the right to request access to the personal data processed about you.

4.4 Correction and Deletion

You can also ask us to correct incorrect information we have about you or request that we delete personal data. We will comply with a request to delete personal data as far as possible, but we may not be able to do so if we still need the data.

4.5 Processing Based on Consent

If we process personal data based on your consent, you can withdraw your consent at any time. The easiest way to do this is to use the method provided when you gave your consent or contact us.

4.6 Right to Restrict or Object to Processing

You have the right to restrict processing in certain cases, such as if:

a) You dispute the accuracy of the personal data, for a period that allows us to verify the accuracy of the personal data.

b) The processing is unlawful, and you object to the deletion of the personal data and instead request that the use of the personal data be restricted.

c) We no longer need the personal data for the purpose of the processing, but you need it to establish, exercise, or defend legal claims.

d) You have objected to processing under GDPR Article 21 (1) pending the verification of whether our legitimate interests override your privacy.

4.7 The Right to Data Portability

For information that you have provided to us and is necessary to fulfill an agreement with us and that is processed automatically (i.e., not manually by us), you can request that the personal data about you be delivered or transferred to another provider in a structured, commonly used, and machine-readable format (data portability).

4.8 Automated Decisions, Including Profiling

Automated decisions as mentioned in GDPR Article 22 (1) and 4 will not be made based on your personal data, except as done under targeted advertising, see above.

5. General Information About Retention and Storage (Deletion) of Personal Data

We retain personal data as long as necessary for the purpose for which the personal data was collected and delete the data in accordance with legal requirements. How long we process the various types of data we process is described above where the individual processing is discussed.

Instead of deleting personal data, it may be relevant in some cases to anonymize the personal data. Anonymization means that all identifying or potentially identifying characteristics are removed from data sets that are retained.

For example, personal data that we process based on your consent will be deleted if you withdraw your consent. Personal data we process to fulfill an agreement with you will be deleted when the agreement is fulfilled, and all obligations arising from the contractual relationship are met, such as legal obligations related to accounting, customer follow-up related to complaints, etc.

When it comes to participation in sailing voyages, all information that can be linked to you as a person will be deleted one year after the completed voyage.

6. Security of Processing

We prioritize the security of personal data in our business and will implement all required technical and organizational measures to secure your personal data. All processing will be encrypted where possible and not available to anyone other than those who need personal data for their tasks.

We handle information so that it is accurate, accessible, and managed according to the sensitivity level of the data. We also use a range of security technologies and information security procedures to protect your personal data from unauthorized access, use, or disclosure. Where necessary, risk assessments are conducted.

We have entered into data processing agreements with all our suppliers who process personal data, where they undertake the same level of security as we have in our processing of personal data.

We limit access to your personal data to the personnel or third parties who will process the data on our behalf. These parties are subject to strict confidentiality requirements, and we can impose sanctions or terminate the agreement if these requirements are not met.

There are established routines for handling information security breaches and procedures (personal data breaches), and if there is a breach that involves a risk to the privacy of the data subjects, we will send a deviation report to the Norwegian Data Protection Authority as soon as possible and no later than 72 hours after the breach was discovered. If the breach poses a high likelihood of compromising the privacy of the affected individuals, we will also notify them.

7. Complaints

We use the Norwegian Data Protection Authority as the lead supervisory authority for cross-border processing under GDPR Article 56.

If you believe that our processing of personal data is not in accordance with what we have described here or that we are otherwise violating privacy laws, you can file a complaint with the Norwegian Data Protection Authority. However, we ask that you contact us first so that we can address any errors as quickly as possible.

You can find information about your rights and how to contact the Norwegian Data Protection Authority on the Authority’s website: www.datatilsynet.no.

8. Changes

If there are changes to our services or changes in the regulations on the processing of personal data, this may lead to changes in the information provided here. If we have your contact information, we will notify you of these changes. Otherwise, updated information will always be easily accessible on our websites.