This Privacy Statement (the "Privacy Statement") describes the information that Jotun collects from or about you ("Personal Data"), and how we use and to whom we disclose such data. Jotun A/S or the Jotun company which controls the Personal Data is the so-called “data controller” for the Personal Data that is processed about you. Country specific versions of the Privacy statement may be downloaded below.
Purpose of this document
This Privacy Statement is developed to state the processing activities of Jotun and inform Data Subjects of their rights related to protection of Personal Data.
Organisations and data subjects covered by this statement
“Jotun” includes the parent company, Jotun A/S, and its subsidiaries. All references in this Privacy Statement to "Jotun", "we", "us", "our" and like terms should be interpreted accordingly. This Privacy Statement applies to the Personal Data of all individuals that is either a Customer, an employee of a Customer, a Supplier or an employee of a Supplier or individuals registering their personal data on www.jotun.com (the “Data Subject”).
Legal framework and compliance
The Jotun Group has entered a set of data protection rules and policies, binding for all companies. The so-called Jotun Binding Corporate Rules (“BCR”), with corresponding policies, procedures and guidelines are worked out in order to be compliant with the General Data Protection Directive, (EU) 2016/679 ("GDPR"). The BCR application is submitted to, and is currently being handled by the Norwegian Data Protection Authority as a lead authority. With common data protection rules across Jotun, we ensure an adequate level of protection for all Data Subjects including when Personal Data is transferred between different Group companies to different countries. It is Jotun's obligation to comply with the privacy law within each country in which we operate. Sometimes this legislation and/or a Data Subject's right to data protection are different from one country to another. Data Subjects keep any rights they have under local law. This Privacy Statement shall apply only where it provides additional protection. Where local law provides more protection than this Privacy Statement, local law shall apply.
What is personal data?
Personal Data is any information related to a person that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. Personal Data does not include anonymous or non-personal information (i.e., information that cannot be associated with or tracked back to a specific individual).
For which business purposes do we collect personal data?
Personal Data of Data Subjects, shall be collected, used or otherwise Processed for one (or more) of the following Business Purposes:
Providing, development and improvement of products and/or services purposes.
- Conclusion and execution of agreements with Customers, Suppliers and Business Partners.
- Relationship management and marketing purposes. This includes activities such as maintaining and promoting contact with Customers, Suppliers and Business Partners, account management, customer service, recalls and the development, execution, and analysis of market surveys and marketing strategies.
- Business process execution, internal management, and management reporting purposes.
- Health, safety and security purposes.
- In order to comply with legal obligations.
- In order to protect vital interests of Employees or Data Subjects.
What kind of personal data does Jotun collect from you?
Jotun collects and maintains different types of Personal Data in respect of Data Subjects. This includes e.g. the Personal Data contained in:
- Contact information such as name and address, telephone numbers and email address.
- Business details, including the names of relevant office holders of a company and business numbers.
- Where permitted or required by applicable law or regulatory requirements, Jotun may collect information about you without your knowledge or consent.
We may use the information stated in article 7 to inform and promote our products and/or services. If we choose to promote such information we will ask for your explicit consent and give you an “opt out” option for being contacted. This information will not be disclosed to any other third parties outside of Jotun. Without consent we may use the information stated under article 7 to inform and promote information related to products and/or services purchased from Jotun.
When do we disclose your personal data?
We may share your Personal Data with our Employees, contractors, consultants and other parties (including other members of the Jotun group) who require such information to assist us fulfilling the business purposes of Jotun. This includes parties that provide products or services to us or on our behalf. In some instances, such parties may also provide certain information technology and data processing services to us so that we may operate our business. We may share Personal Data with such parties both in and outside of your home jurisdiction, and as a result, your Personal Data may be collected, used, processed, stored or disclosed in Norway or any other country where Jotun is present.
Transfer and disclosure of personal data
Personal Data is only transferred to external parties, outside the Jotun Group if this is required or permitted under the applicable privacy legislation. When we share Personal Data with external parties we require that the external party enters into a Data Processing Agreement (DPA) with Jotun in compliance with the GDPR. Such parties may only use or disclose Personal Data in a manner consistent with the use and disclosure provisions of this Privacy Statement. Further, your Personal Data may be disclosed in the following situations:
- If permitted or required by applicable law or regulatory requirements. In such a case, we will endeavour to not disclose more Personal Data than is required under the circumstances.
- To comply with valid legal processes such as search warrants, subpoenas or court orders; or
- As part of Jotun's regular reporting activities to other members of the Jotun group (including outside of your home jurisdiction); or
- As part of transactions or divestments which involves third parties. In such a case, we will endeavour to not disclose more Personal Data than is required under the circumstances.
- To protect the rights and property of Jotun;
- During emergency situations or where necessary to protect the safety of a person or group of persons;
- Where the Personal Data is publicly available; or
- With your consent where such consent is required by law.
Notification and consent
Privacy laws do not generally require to obtain your consent for the collection, use or disclosure of Personal Data for the purpose of conducting the business purposes of Jotun. In addition, we may collect, use or disclose your Personal Data without your knowledge or consent where we are permitted or required by applicable law or regulatory requirements to do so. In some situations, however, it might be that your consent is required for our collection, use or disclosure of your Personal Data. In such cases you may at any time, subject to legal or contractual restrictions and reasonable Statement, withdraw your consent. If you choose to withdraw your consent, please send an email to your contact person in Jotun or to firstname.lastname@example.org.
How is your personal data protected?
Jotun endeavours to maintain physical, technical and procedural safeguards that are appropriate to the sensitivity of the Personal Data in question. These safeguards are designed to protect your Personal Data from loss and unauthorised access, copying, use, modification or disclosure.
Personal data retention
Except as otherwise permitted or required by laws or regulations, Jotun endeavours to retain your Personal Data only for as long as we believe is necessary to fulfil the purposes for which the Personal Data was collected. We may, instead of destroying or erasing your Personal Data, make it anonymous so that it cannot be associated with or tracked back to you.
Updating your personal data
It is important that the Personal Data in our records is both accurate and current. If your Personal Data happens to change, please keep us informed of such changes.
Access, corrections and deleting persobal data
You have the right to access information about your Personal Data. If you want to review, verify, correct or delete your Personal Data, please send an email to email@example.com. We will take necessary steps to confirm the data subject’s identity before providing any information regarding personal data. The request will, when the requestor's identity is confirmed, be answered within 30 days. In some instances, the request may take longer, but we will inform you accordingly and send an answer at the latest within 90 days.
Your right to access the Personal Data is not absolute. There are instances where law or regulations allow or require us to refuse to provide some of the Personal Data. It may also be statutory requirements preventing us from deleting some Personal Data. In the event that we cannot adhere to your request, we will endeavour to inform you of the reasons why, subject to any legal or regulatory restrictions.
Inquiries or concerns
If you have any questions about this Privacy Statement or concerns about how we manage your Personal Data or if you wish to file a complaint, please contact our Global Data Protection Officer at firstname.lastname@example.org. We will endeavour to answer your questions and advise you of any steps taken to address the issues raised by you at our earliest convenience and at the latest within one month after your request was made.
If you wish to file a complaint regarding compliance with this Privacy Statement or violations of your rights, you may send the complaint to: email@example.com; Global Data Protection Officer; Lodge a complaint at your local supervisory authority in the EU/EEA member. State where you have your habitual residence, place of work or the place where the alleged violation took place (e.g. Datatilsynet, P.O. 8177 Dep., 0034 Oslo, Norway); or lodge a complaint before the competent court where Jotun has an establishment.
Revisions to this privacy statement
Jotun may from time to time make changes to this Privacy Statement to reflect changes in our legal obligations or in the manner we deal with your Personal Data. We will communicate any revised version of this Privacy Statement. The at all times applicable and updated Data Protection Statement is available on www.jotun.com. Any changes to this Privacy Statement will be effective from the time they are communicated. Any change that relates to why we collect, use or disclose your Personal Data, that require your consent, will not apply to you until we have obtained your consent.
Interpretation of this privacy statement
This Privacy Statement includes examples but is not intended to be restricted only to such examples. Therefore, where the word 'including' is used, it shall mean; including but not limited to.