Scandinavian Fjord
Nasjonalmuseet
Home · Privacy Policy
Privacy Policy
This Privacy Policy describes how we collect, use, store, and protect personal data when you visit scandinavianfjord.com (the "Site"). It is written to comply with the EU General Data Protection Regulation 2016/679 (GDPR) and the Norwegian Personal Data Act (personopplysningsloven).
1. Data Controller
The data controller for personal data processed through the Site is the editorial team operating the Site (the "Controller").
Contact: Scandinavian Fjord Visitor Guide — Editorial
14 Cort Adelers gate, 0254 Oslo, Norway
Email: privacy@scandinavianfjord.com
We are not currently required to appoint a Data Protection Officer under Article 37 GDPR, but you may direct any data protection enquiry to the email above.
2. Categories of Personal Data Collected
We process the minimum data necessary for the purposes stated in this Policy. Specifically:
- Identification & contact data — name, email address, message content (only when you submit the contact form).
- Technical data — IP address (truncated), browser type, device type, referring URL, pages viewed, timestamps.
- Cookie & consent data — your cookie preferences, the timestamp of your consent, and the policy version in effect.
We do not knowingly collect special categories of data (Article 9 GDPR), payment information, or precise geolocation.
3. Purposes and Legal Basis (Article 6 GDPR)
| Purpose | Data | Legal basis |
|---|---|---|
| Operating the Site & ensuring security | Technical data | Legitimate interest (Art. 6(1)(f)) |
| Responding to contact-form enquiries | Identification, contact data | Legitimate interest (Art. 6(1)(f)) — to handle your enquiry; or pre-contractual measures (Art. 6(1)(b)) |
| Aggregate analytics about usage | Technical data (anonymised) | Consent (Art. 6(1)(a)) — only if you accept analytics cookies |
| Cookie consent record-keeping | Consent data | Legal obligation (Art. 6(1)(c)) under ePrivacy |
| Defence of legal claims | All of the above | Legitimate interest (Art. 6(1)(f)) |
4. Recipients and Third-Party Processors
We share personal data only with carefully selected processors who provide infrastructure on our behalf, under written data-processing agreements compliant with Article 28 GDPR:
- Hosting provider — for serving the Site and storing log files. Servers within the EU/EEA.
- Email provider — for receiving contact-form enquiries. Servers within the EU/EEA.
- Privacy-preserving analytics (only with your consent) — aggregate, cookie-less analytics with no cross-site tracking.
We do not sell, rent, or otherwise commercially distribute personal data, and we do not engage in profiling or automated decision-making with legal effects on you.
5. International Transfers
All personal data is stored within the European Economic Area (EEA). If a processor we use becomes subject to an international transfer, we will use Standard Contractual Clauses (Article 46 GDPR) and update this Policy.
6. Retention Periods
- Contact-form messages: retained for 12 months from the date of last correspondence, then deleted.
- Server access logs: retained for 30 days for security and abuse prevention, then deleted.
- Cookie consent records: retained for 12 months or until you reset your consent.
- Aggregate analytics: retained in non-identifying form indefinitely.
7. Your Rights under the GDPR
You have the following rights, exercisable free of charge by writing to the email above:
- Right of access (Art. 15) — to know what personal data we hold about you.
- Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
- Right to erasure / "right to be forgotten" (Art. 17) — to have your data deleted in the cases foreseen by GDPR.
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20) — to receive a structured, machine-readable copy of data you provided.
- Right to object (Art. 21) — including objection to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of prior processing.
- Right to lodge a complaint with the Norwegian Data Protection Authority — Datatilsynet, P.O. Box 458 Sentrum, NO-0105 Oslo, postkasse@datatilsynet.no — or with the supervisory authority of your habitual residence in the EU/EEA.
We will respond to all rights requests within one month (Article 12(3) GDPR), or notify you of any reasoned extension.
8. Children's Data
The Site is not directed to children under 13. We do not knowingly collect personal data from children under that age. In Norway, the digital age of consent for online services under Article 8 GDPR is 13. If you are a parent and believe your child has provided personal data to us, contact us and we will delete it.
9. Cookies
Detailed information about cookies is provided in our Cookie Policy. Where consent is required, we obtain it through the cookie consent banner.
10. Security Measures
We implement technical and organisational measures appropriate to the risks of processing (Article 32 GDPR), including TLS encryption in transit, access controls on processor accounts, regular software updates, and minimisation of data collected. No method of transmission over the internet is 100% secure; in the event of a personal data breach affecting your rights and freedoms, we will notify the Datatilsynet within 72 hours and you, where required, without undue delay (Articles 33–34 GDPR).
11. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date above reflects the latest revision. Material changes will be highlighted on the Site. Where consent has been collected, we will renew consent before applying material changes that would affect that consent.
12. Contact and Complaints
For any privacy enquiry: privacy@scandinavianfjord.com. To lodge a formal complaint: Datatilsynet (Norwegian Data Protection Authority), datatilsynet.no.
See also: Terms of Use · Cookie Policy