1. Introduction

AML Compliance AS (hereafter “AML Compliance”) is subject to the Norwegian Personal Data Act, which implements EUs General Data Protection Regulation (GDPR). The personal Data Acts aim is to protect natural persons rights, freedoms, and privacy interests. Personal data means any information that can be linked to a natural person either directly or indirectly.  

AML Compliance AS processes personal data about AML-app users, our business customers contact persons, potential customers, as well as employees of our partners (“data subjects”).

As the provider of the AML app, AML Compliance AS is the “data processor” for training in anti-money laundering and terrorist financing for the entities using the AML app for training for its employees. This means that AML Compliance processes data on behalf of our business customers, and that the business customer is the “controller” of the data.

AML Compliance is the “controller” when processing personal data about our business customers contact persons, potential customers, and employees of our partners.

In this document, we explain what personal data we process about data subjects, how we process such data and why it is necessary for us to process the personal data. The Privacy Policy also explains the sources from which the personal data originates, how long we process the personal data and whether we use suppliers (“data processors”) in connection with the processing. For AML compliances processing of personal data as a controller, we also explain the legal basis and the purpose of the processing.

2. General regarding the processing of personal data

We are concerned with protecting the privacy of the data subjects. All processed personal data about the data subjects are adequate, relevant and limited to what is necessary to achieve the purpose of the processing activity. If we discover information that is incorrect, we will as soon as possible correct or delete the information. We do not store or process personal data for a longer period of time than necessary to achieve the purpose of the processing activity. 

We assure you that we take information security seriously, and that we will protect your personal data against unauthorized access (confidentiality) and changes (integrity). Only authorized personnel can access personal data about the data subjects. We are responsible for ensuring that the systems we use are robust and reliable, so that we have access to the information we need (availability).

AML Compliance, included our data processors, only process and store data within the EU/EEA. 

3. Use of third parties (data processors) and disclosure of personal data

We use Attensi AS and The Lawfirm Erling Grimstad AS as data processors. We have entered into a written data processing agreement with both companies. The data processing agreements regulate how the companies must process personal data in accordance with instructions from us, as well as establish satisfactory information security to protect the personal data. 

Attensi AS operates the technical platform for the AML app, called Attensi Skills. The Lawfirm Erling Grimstad AS is responsible for customer administration and support inquiries from AML app users. 

4. Processing activities

4.1. Customer administration

In connection with entering into an agreement with a business customer, The Law firm Erling Grimstad, on behalf of AML Compliance, process personal data about the customer’s appointed contact person. This includes name, telephone number, e-mail, and job title. The information is stored in a customer list. The purpose of the processing is to enter into an agreement with the business customer and fulfill the agreement. The legal basis for the processing activity is GDPR article 6 no. 1 letter f (balancing of interests). The contact details are obtained from the customer themselves or publicly available information from the internet. The information is deleted after the agreement with the business customer ends.

The Law Firm Erling Grimstad, on behalf of AML Compliance, process contact details of the customer´s appointed contact person in relation to communication with the customer. The processing activity includes communication on e-mail. The purpose of the processing activity is to fulfill the agreement with the customer.  The legal basis for the processing activity is GDPR article 6 no. 1 letter f (balancing of interests). The e-mails are deleted on an ongoing basis. 

Contact details for employees of business customers are processed in connection with invoicing from us. The legal basis for processing is GDPR article 6 no. 1 letter f (balancing of interests).

4.2. The AML app website

Contact form: On our website, you can voluntarily contact us via a contact form by entering your name and email. The personal information we receive from the contact form is not used for purposes other than answering your inquiry. The legal basis for the processing is GDPR article 6 no. 1 letter a (consent). After we have answered your inquiry, your personal data will be deleted, unless otherwise agreed separately. The Law Firm Erling Grimstad answers inquiries on behalf of AML Compliance. 

Cookies: Our website uses cookies. Se separate cookie banner for information about cookies on our website. 

5. Rights of the data subject

When we process personal data about you, you have rights according to the privacy regulations. Below we explain these rights in more detail and when they apply. If you wish to enforce your rights, please contact the persons mentioned below (see contact information).

Right to information:

The right to information means that you can contact us for detailed information about how we process personal data about you. However, there are certain exceptions to the right to information.

Right to access:

The right to access means that you are entitled to receive a copy of the information that we have stored about you. However, there are certain exceptions to the right to access.

Right to rectification:

The right to rectification means that you have the right to have incorrect or incomplete personal data about yourself corrected or updated.

Right to erasure:

The right to erasure means that you have the right to have information about yourself erased if the personal data is no longer necessary for the purpose for which it was collected, or if you object to the legality of the processing.

Right to restriction of processing:

The right to restriction of processing means that you are entitled to have the processing restricted if you dispute the correctness of the personal data, the processing is illegal, or the personal data is no longer necessary for the purpose for which it was collected.

Right to object to the processing:

The right to object to processing means that you can object to processing based on our legitimate interests if there are special reasons. However, this does not apply if we can show a compelling justified reason.

Complaint to the Norwegian Data Protection Authority:

If you believe that we are breaking the privacy regulation or are not satisfied with our handling of your inquiry, you can complain to the Norwegian Data Protection Authority. We encourage you to contact us first, so that we can provide answers and clarify any misunderstandings. 

7. Contact

If you have questions or comments about how we process personal data , you can send an e-mail to hello@governance.no.

6. Changes to this privacy policy

This privacy policy can be updated continuously without us posting a specific notice for this. On the other hand, if the changes are material and/or affect your rights, we will post a notice that the privacy policy has been updated. The privacy policy applicable at all times is published on our website.

Last updated: May 15th 2023.