GDPR & Privacy

GDPR & Privacy

1.1 Privacy Policy

Effective Date: 01.02.2025

Introduction

Telenor Cyberdefence (“we,” “us,” or “our”) is committed to protecting the privacy and security of our clients, partners, and users. This Privacy Policy outlines how we collect, use, disclose, and protect your personal data in connection with the security services we provide to businesses in the Nordic market. By using our services, you agree to the practices described in this policy.

  1. Data We Collect

We collect personal data necessary to provide our services effectively. This includes:

  • Contact Information: Names, job titles, email addresses, phone numbers, and business addresses.
  • Account Information: Usernames, passwords, and account settings for our service portal.
  • Service Data: Logs, metadata, and network traffic data related to our security services, including IP addresses and device identifiers.
  • Payment Information: Billing details, including credit card information or bank account details.
  • Communication Data: Emails, messages, or other communications you have with us.
  • Usage Data: Data about how you interact with our website, portal, and services.
  1. How We Use Your Data

We use the collected data to:

  • Provide and maintain our security services.
  • Detect, prevent, and respond to security incidents and threats.
  • Communicate with you about updates, maintenance, or support.
  • Conduct billing and payment processing.
  • Comply with legal and regulatory obligations.
  • Improve our services through analytics and feedback.
  1. Legal Basis for Processing

We process personal data based on the following legal grounds:

  • Contractual Obligation: To fulfill our obligations under the service agreement.
  • Legal Compliance: To meet legal and regulatory requirements.
  • Legitimate Interest: To improve and protect our services and your business.
  • Consent: When you provide explicit consent for specific uses.
  1. Data Sharing and Disclosure

We do not sell your personal data. We may share your data with:

  • Service Providers: Trusted third parties who assist in delivering our services (e.g., cloud hosting, payment processors).
  • Partners: Authorized business partners who help deliver services to you.
  • Legal Authorities: When required by law, court orders, or to protect our legal rights.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets.
  1. International Data Transfers

We may transfer your data outside the Nordic region to provide our services. When we do, we ensure appropriate safeguards are in place, such as EU Standard Contractual Clauses or equivalent measures, to protect your data.

  1. Data Retention

We retain your data only for as long as necessary to:

  • Provide our services.
  • Comply with legal obligations.
  • Resolve disputes.
  • Enforce our agreements.

When no longer needed, we securely delete or anonymize your data.

  1. Data Security

We implement technical and organizational measures to protect your personal data from unauthorized access, disclosure, or destruction. These include encryption, secure servers, and regular security audits.

  1. Your Rights

You have the following rights under applicable privacy laws:

  • Access: Request access to your personal data.
  • Correction: Request corrections to inaccurate data.
  • Deletion: Request deletion of your data (subject to legal obligations).
  • Restriction: Request restriction of processing under certain conditions.
  • Portability: Request a copy of your data in a portable format.
  • Objection: Object to data processing based on legitimate interests.
  • Withdraw Consent: Withdraw your consent at any time.

To exercise your rights, contact us at dpo@telenorcyberdefence.com.

  1. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience on our website. For more information, see our Cookie Policy.

  1. Updates to This Policy

We may update this Privacy Policy periodically. Any changes will be posted on our website with the updated effective date. We encourage you to review this policy regularly.

1.2 GDPR and Data Protection

Telenor Cyberdefence is committed to protecting personal data and complying with the EU General Data Protection Regulation (GDPR). Our GDPR compliance framework is embedded in how we design, deliver, and operate cybersecurity services for our customers.

We ensure GDPR compliance through the following measures:

  • Privacy-by-design in security services
    Privacy and data protection considerations are embedded into the design and operation of our services, including Managed Detection and Response (MDR), incident response, threat intelligence, and security monitoring.
  • Clear roles as Controller and Processor
    Depending on the service, Telenor Cyberdefence acts either as a data processor on behalf of customers or as a data controller for limited internal and business-related processing. These roles are defined in our contracts and Data Processing Addendums (DPAs).
  • Contractual safeguards and DPAs
    We maintain GDPR-compliant Data Processing Addendums with our customers and with our sub-processors, ensuring lawful processing, confidentiality, security, and appropriate international data transfer mechanisms where applicable.
  • Secure handling of security telemetry and logs
    Personal data that may be processed as part of security monitoring (e.g. logs, alerts, identifiers) is handled in accordance with strict access controls, encryption in transit and at rest, logging, and retention policies aligned with GDPR principles of data minimisation and purpose limitation.
  • Vendor and sub-processor governance
    All vendors and sub-processors are subject to onboarding due diligence and periodic reviews to ensure compliance with applicable data protection and security requirements.
  • Risk assessments and data mapping
    We conduct regular privacy and security risk assessments, including data mapping, to ensure appropriate handling of personal data throughout our services and internal operations.
  • Incident and breach management
    We maintain documented procedures for handling suspected personal data breaches, including assessment, containment, notification, and cooperation with customers and supervisory authorities where required.
  • Data subject rights
    We support our customers in responding to data subject rights requests where we act as a processor, and we have internal procedures for responding to such requests where we act as a controller.
  • Governance, training, and oversight 
    We appoint a Data Protection Officer (DPO) responsible for monitoring GDPR compliance, advising the organisation, and acting as a point of contact for supervisory authorities and individuals. Regular privacy and security training is provided to relevant staff.
  • Independent assurance
    Our information security management system is audited annually by independent third parties in accordance with ISO/IEC 27001:2023.
  • Transparency
    We are transparent about how we collect, use, and disclose personal data, including through our Privacy Policy, and we notify customers of material changes to our data handling practices where required.

1.3 Data Processing Addendum (DPA)

When Telenor Cyberdefence processes personal data on behalf of customers in delivering cybersecurity services, we act as a data processor under the GDPR.

We enter into a GDPR-compliant Data Processing Addendum (DPA) with our customers, which governs, among other things:

  • the subject matter, duration, nature and purpose of the processing
  • the types of personal data and categories of data subjects
  • confidentiality and security measures
  • use of sub-processors
  • international data transfers, where applicable
  • assistance with data subject rights and regulatory obligations
  • audit and compliance requirements

Our standard DPA is aligned with Article 28 GDPR and reflects the nature of security services such as Managed Detection and Response (MDR), incident response, and security monitoring.

Where required, the DPA may be supplemented to reflect customer-specific legal or regulatory requirements.

1.4 Transfer Impact Assessment (TIA)

When international data transfers are required, we conduct a structured Transfer Impact Assessment to evaluate potential risks and ensure compliance with GDPR Chapter V and the EDPB recommendations. Our TIA process examines legal frameworks, security controls, access risks, and available safeguards. The resulting assessment helps customers understand how their data is protected when processed outside the EEA, and which technical, contractual, and organisational measures apply.

1.5 Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment is performed when a planned processing activity may pose a high risk to individuals’ rights and freedoms. Our DPIA framework follows GDPR Article 35 and integrates risk analysis, privacy-by-design principles, and mitigation planning. We support customers in ensuring that processing operations – such as threat detection, log ingestion, or incident response – are designed with strong privacy controls, transparency, and proportionality from the outset.