Telenor Digital AS Direct Operator Billing Privacy Notice

Welcome to Telenor Digital AS and thank you for your interest.

Telenor Digital AS is a Norwegian company within Telenor Group that develops, provides and maintains a variety of digital products and services.

Direct Operator Billing (hereafter ‘DOB’) is Telenor Digital´s service that allows you to pay for digital content through your phone bill.

Telenor Digital can be either a data controller or processor regarding the DOB service. Where we are a data processor, we are delivering the service to the mobile network operators.

This Privacy notice specifically applies to the cases in which Telenor Digital is the data controller.

Contact Telenor Digital

You can reach out to our customer services team for any information on data protection. Our team will respond to your request via email as soon as possible.

For more information, or to exercise your rights, you may contact our customer services team either via phone or email using the details below:

Country

Customer Support Phone

Customer Support Email

Norway

+47 219 83 910

[email protected]

Sweden

+46 812 160 090

[email protected]

Denmark

+45 324 63 030

[email protected]

Data Categories, Data Sources and Retention Policies for DOB

In order to provide the DOB services, Telenor Digital obtains data indirectly from either:

  • your mobile operator in order to provide your bill
  • our partners, i.e., the stores or services from which you make a purchase

Telenor Digital’s data retention policies vary based on the purpose of processing. As a general rule, personal data will be kept only as long as is necessary for the purposes outlined in this privacy notice.

Personal Data Categories for DOB

Personal Data

Retention Policy

Reasons for Retention

Account identifier

MSISDN (i.e phone number)

1 year - deleted 1 year after transaction date the date of the most current transaction

We retain this in order to support you with any queries or refunds regarding transactions

End-user profile (post paid, pre paid etc)

1 year - deleted 1 year after transaction date

We retain this in order to support you with any queries or refunds regarding transactions.

In some cases, however, this information is not passed to us by the operator.

General user data

ACR (encrypted unique customer identifier)

1 year - deleted 1 year after transaction date

Not every transaction has an ACR. If it does, we retain this in order to support you with any queries or refunds regarding transactions.

Operator ID

1 year - deleted 1 year after transaction date

We retain this in order to support you with any queries or refunds regarding transactions.

Purchase information

Amount – purchase value

1 year - deleted 1 year after transaction date

We retain this in order to support you with any queries or refunds regarding transactions

Description of purchase

1 year - deleted 1 year after transaction date

We retain this in order to support you with any queries or refunds regarding transactions

Transaction ID

1 year - deleted 1 year after transaction date

We retain this in order to support you with any queries or refunds regarding transactions

Name of the partner purchased from

1 year - deleted 1 year after transaction date

We retain this in order to support you with any queries or refunds regarding transactions

Time stamp

Time of purchase

1 year - deleted 1 year after transaction date

We retain this in order to support you with any queries or refunds regarding transactions

DOB SMS

SMS service messages in relation to the DOB service

1 year - deleted 1 year after communication takes place

We retain this in order to support you with any queries about the transaction eg. PIN delivery, receipts, etc...

Processing Purposes for DOB

The majority of Telenor Digital’s data processing to provide Direct Operator Billing is essential to provide the functionality that users request (such as the processing of payment transactions or providing refunds to users). Such data processing therefore is necessary to deliver the DOB services that we have committed to.

Some supporting data processing is beneficial to the provision of our services, while not an integral part of it, such as developing new features or measuring the performance of existing features to further improve the product. In that case, that data processing serves the legitimate interests - as listed below - of Telenor Digital or other members of Telenor Group.

For some specific data processing Telenor Digital will ask your prior explicit consent.

Processing Purposes in Detail:

Processing Purpose

Details

Service Provision

Providing the service requested by the user to the user. These include authentication of the user, the processing of payment transactions and refunding of transactions where necessary.

Customer Support

Assisting users with demands and requests that they may have, and helping them to solve potential issues.

Maintain Confidentiality and Security of User Data

Taking measures to protect user data against data loss, unauthorised access/alteration, etc.

Maintain Confidentiality and Security of Non-User Data, Systems and Services

Taking measures to protect data other than user data, as well as infrastructure, against data loss, unauthorised access/alteration, etc.

Maintain Integrity of User Data

Taking measures to protect user data against inaccuracy.

Product Performance Improvement

Improving the performance of the product, such as caching data.

Transferring Data within Telenor Group for Administrative Purposes

Intra-Group data exchange across Telenor, i.e. for the provision of the service or for the purpose of reconciliation of different databases.

Legitimate Interests:

Legitimate Interests

Details

To improve our customer service.

Telenor Digital is committed to providing users with quick, effective and convenient assistance, should they encounter an issue. Quality assurance of customer service is essential to improving processes and providing the help that is needed.

To maintain data security.

To maintain both the integrity and confidentiality of user data and the reliability of services is a key objective of Telenor Digital. Therefore, measures are taken to recognise events that indicate an attack or fraudulent attempts to access or alter data. Log-files documenting such attempts are kept, which are accessible only to a minimal number of employees and only on documented exceptional circumstances. This is to investigate security incidents and close potential security gaps.

To improve customer experience.

To ensure an effective presentation of websites and apps, and to facilitate troubleshooting and easy accessibility, Telenor Digital needs to understand by which means services are accessed (such as device types, operating systems, browser type), and where potential issues with the user interface occur.

To improve our performance.

Understanding how our service is used across different markets and over time in order to optimise it accordingly, is a basic interest of Telenor Digital. In many - but not all - cases, this data will be aggregated. Such aggregated statistics do not include information that can personally identify a user. In other cases, numeric indexes are used to distinguish between different users without concretely identifying them.

To integrate and interlink our services within the Telenor Group.

Telenor Digital provides centralised services to other members of Telenor Group, which is why your mobile operator will exchange information with us for administrative purposes. This includes information on the performance of our services to improve integration or supporting internal reporting. Where we process data for this purpose, this is performed at an aggregate, depersonalised level.

Data Transfers

There are two basic setups in which Telenor Digital transfers personal data to partners or external vendors:

  • Network Operator: We integrate and collaborate with other network operators, for example, Telenor companies. These activities require data transfers to or from your mobile service provider or any other provider you have chosen for your mobile connection.
  • Partners: In order to provide this service, we integrate our own services with partners outside Telenor Group. In such a case, each party is responsible for their part of the data processing as a data controller. An example of where this is the case is when you make a purchase from one of our partner app stores.
  • External vendors: We use external vendors to deliver, improve and maintain our services. These vendors are data processors to Telenor Digital, which means they are legally and contractually obligated to follow our instructions, maintain the data securely, delete data upon request, and so forth.

Finally, if Telenor Digital decides to sell, buy, merge or otherwise re-organise its business, it will conduct the necessary data transfers.

Third-Country Data Transfers

There are specific setups, in which Telenor Digital transfers data to countries outside the European Economic Area (EEA)/European Union (EU). Such transfer occurs

  • when a user’s country of residence is outside EU/EEA, the user is a subscriber to the local mobile network operator and Telenor Digital services are offered with the subscription; or
  • when we use processing capacities of a vendor based outside EU/EEA.

Where applicable, Telenor Digital transfers personal data to the United States on the basis of the “Privacy Shield”. For all other data transfers to third-country, not pre-approved by the EU as having an adequate level of protection, Telenor Digital enters into standard data protection clauses adopted by the European Commission (“EU Model Clauses”).

User Rights

You have certain rights in relation to the personal information that we, Telenor Digital, hold about you in relation to the DOB service. We have in place measures and processes to enable you to exercise your rights and ensure that we can fulfil your requests concerning the personal data that we hold about you. The rights available to you depend on our reason for processing your information.

  • Right to withdraw consent: Where you have previously given consent for us to process your personal data, you can withdraw that consent any time. Contact our customer service team to adjust your privacy settings.
  • Right to access your information: You can ask for more detail regarding the data we collect about you and how we process it. Contact our customer service team to request a report that reflects what personal information we hold about you. Our customer service team will handle your request and answer your questions.
  • Right to rectification: You can request that we correct any incorrect personal data which we are processing. For most of our services, the simplest way of achieving this is through updating your user profile yourself. You may also get in touch with our customer service.
  • Right to object: When we process your personal data on the legal basis of legitimate interest, as discussed below, you have the right to object to such processing. You may contact our customer service team directly.
  • Right to erasure: You can request that we erase the personal information we hold about you. This kind of request must meet certain criteria.
  • Right to restrict processing: In certain cases, you may request that we cease processing of your personal data for certain purposes. For instance, you might claim that our use of your data is unlawful, but you may ask us to restrict the processing of data, as opposed to deleting it.
  • Right to portability: You can request the personal data concerning you, which you have provided us with and that we are processing based on your consent or in order to perform a contract with you, in a structured, commonly used and machine-readable format, provided that the data is processed using automated means. This includes a direct transfer to another controller, where technically feasible. You can submit a request to download your data using the Review section of our Privacy page. Customer Service will provide access to this data in a machine-readable format via our file-sharing solution. Please note that this right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. We also will not be able to extend this right in a way that would adversely affect the rights and freedoms of others.

You also have the right to lodge a complaint with a supervisory authority.

Changes to the Privacy Notice

We may update this Privacy Notice from time to time, as our data processing may change and we would like to keep you informed.

Where we think it is appropriate we shall make material changes to our privacy notice from time to time. By continuing to use our services you confirm your continuing acceptance of this privacy notice.