Skip to main content

Introduction

Atea ASA and its business units (hereinafter referred to as Atea), is the market leader in information technology infrastructure and related services for businesses and public-sector organizations in the Nordic and Baltic regions. Atea is dedicated to safeguarding personal data to uphold the fundamental rights and freedoms of individuals. We highly value the protection of personal data and, therefore, place significant emphasis on maintaining data subjects’ privacy.

Purpose

This Data Privacy Policy outlines the purpose of data processing, the methods we use to collect, handle, ensure the proper use and retention of personal data, and the rights data subjects can exercise regarding their personal data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679.

Scope

This policy applies to all Atea and its entire operations including employees, customers and suppliers. This policy is supported by Atea Data Protection Policy which sets the standard for the protection and processing of personal data within Atea.

Definition

Personal data is any information relating to an identified or identifiable natural person; an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

General purpose of personal data collection

Service Provision: To provide and manage the services or products requested by the data subject.

Communication: To communicate with  the data subject about their accounts, transactions, or any updates related to the service Atea provide to them.

Personalization: To personalize data subject’s experience by tailoring content and recommendations based on data subject’s preferences and behaviour.

Legal compliance: To comply with legal obligations, such as tax reporting or responding to lawful requests from public authorities.

Security: To ensure the security of the services, including fraud prevention and detection.

Marketing: To send promotional materials or offers, provided if the consent has been have given.

Analytics: To analyze and improve the services, including understanding user behaviour and preferences.

Personal Data Collection: Categories, Purpose and Retention Time for Each Area

Atea eShop account and online purchase data

The Atea eShop is an eCommerce platform designed for companies (legal entities). When a company creates an account to purchase hardware, software and services, the personal data of the company representative is processed according to this Policy. This includes data provided through eShop placed orders including punchout.

For eShop users, the following personal data is processed in eShop:

  • First name, last name, email address, phone number, company, source IP address, last login, employee number. Optional: default cost center.

From FreeChoice users the following personal data is processed in eShop:

  • First name, last name, email address, private email address, phone number, company, source IP address, last login, employee number, default cost center.

Personal data is processed for the purpose of fulfilling contractual obligations, such as delivering goods, resolving warranty issues.

Personal data of eShop user accounts is anonymized 2 years after the last login as last activity.

Personal data of eShop Free Choice user account anonymized 5 years after last asset expire if user has not logged in for 2 years.

Data from the Atea eShop is also transferred to the Atea business and financial accounting systems (ERP) for the purpose of invoicing, communicating with customers, fulfilling warranty obligations, and protecting legal interests. The data is processed and stored according to the country’s where Atea operates legal requirements and internal regulatory acts regarding archiving.

My Atea

My Atea is a portal designed for companies (legal entities). Access to My Atea is granted to representatives of companies who are authenticated users in Atea eShop or Atea ServiceNow. These representatives gain access through the respective onboarding processes. No personal data is transferred from these systems to the My Atea portal, only metadata from the systems is visible in My Atea.

Consequently, since My Atea does not store any personal data, the retention of personal data is not applicable.

If My Atea user wish to provide feedback on portal functionalities or suggest improvement ideas within the system, there is a dedicated "User feedback & Ideas" widget for submitting such information. Users have the option to voluntarily include personal data, such as their name and email address, if they desire to receive notifications or follow up on the feedback provided. The retention period for personal data entered in the "User feedback & Ideas" widget is one year.

Call records

When contacting Atea Servicedesk to report an incident or problem within a company, all inbound phone calls are recorded. These recordings are made for quality assurance purposes and to investigate any complaints. The retention period for call records is 90 calendar days.

Prior to the start of a conversation, it is always communicated that the call will be recorded. There is an option to choose not to be recorded and continue the conversation.

Servicedesk Case and Incident Handling

When contacting Atea Servicedesk, personal data will be stored in the ticketing system for the purpose of handling the case. The personal data processed includes information provided when submitting the case or incident, such as name, phone number, email address, organization, job title, and department.

Personal data is processed to fulfill contractual obligations with the company represented. This involves registering contact information for a case or incident, enabling resolution of the issue and communication regarding the case. Personal data is retained within the Atea ticket system for historical purposes, allowing for revisiting a case later for learning (problem management, post-incident review) and record-keeping.

The retention period of personal data is five years after a case is closed.

After resolving the case, an Atea User Satisfaction Survey email linked to the case number will be sent. This survey aims to improve the service provided.

The retention period of Atea User Satisfaction Survey is two years, allowing for revisiting the survey evaluations and comparing customer support results.

Authorization to Atea systems

Atea employs control authorization mechanisms to ensure secure authentication to Atea systems. The authorization is handled by Atea secure authorization solution.

To gain access to the relevant systems in Atea, there are two authentication methods available as described below.

Atea authorization

User ID (email address) and password for authentication is used. Personal data includes email address and IP address. On authentication, email address and password will be verified by our identity provider through secure API. Logging of authentication is handled according to Atea requirements for security logging.

Personal data is stored for as long as an account exists in any Atea system.

Customer Active Directory authentication

Single Sign On for authentication is used. Personal data includes name, surname, email address and IP address. On authentication, first name, last name and email address is verified by customers’ Active Directory and passed to Atea secure authorization solution. Logging of authentication is handled according to Atea directive for security logging.

Personal data is stored for as long as an account exists in any Atea system.

Direct marketing

Data subjects’ personal data is used by Atea to send company news, updates, information about other similar products and services, Atea’s events and newsletters. Personal data provided by filling in the forms on Atea’s webpages is used with consent.

The following categories of personal data: name, surname, company name, email address and phone number.

Retention period of personal data for direct marketing is until the consent is withdrawn. It is easy to unsubscribe at any time by clicking the "Unsubscribe" button in any company news, updates, information about similar products and services, Atea events, or newsletter emails received from Atea, thereby withdrawing consent.

Atea events

To register for events organized by Atea, contact information, including name, company name, email address, and phone number, is processed.

This information is stored for the duration specified in the event registration form. Personal data is processed only to the extent necessary to fulfill the respective purpose.

Annual surveys

When Atea conducts annual surveys, such as the CIO Analytics report, the personal data used is the email address. This email address is obtained either through interaction with Atea or if it has been provided through the survey template.

The email address is utilized for the purpose of conducting the survey and sending out the report. This survey is based on Atea's legitimate interest as a legal basis.

The responses to the survey are anonymous, and the final report will only be shared if the email address is provided within the survey questionnaire.

To stop receiving surveys, it is possible to unsubscribe at any time via a link in the email or by contacting Atea.

The email address is stored until the recipient unsubscribes, at which point the information will be removed from the mailing list.

The mailing list is updated annually to ensure it is current and relevant. The email address is not shared with any third parties.

Personal data security

Atea is committed to protecting personal data to respect the fundamental rights and freedoms of individuals.

Details on how Atea secures  personal data processed by Atea can be found in Atea Data Protection Policy.

Data Subject rights

Right to access: A data subject can request access to information about the personal data processed at any time.

Right to data portability: When Atea processes personal data in automated ways based on consent or contractual obligations, the data subject has the right to have a copy of their data transferred to themselves or to another party. This only includes the personal data registered with Atea.

Right to correction: The data subject has the right to have incorrect personal data corrected or supplemented if it is incorrect or misleading.

Right to deletion: The data subject can request the deletion of their personal data processed by Atea at any time. Please note that the right to erasure can be overridden in accordance with the GDPR.

Right to limitation: The data subject has the right to request that Atea limit the processing of their personal data under the following circumstances:

  • If there is an objection to processing based on Atea's legitimate interest, Atea shall restrict all processing of such data pending verification of the legitimate interest.
  • If the data subject believes their personal data is incorrect, Atea must limit all processing of such data pending verification of the accuracy of the personal data.
  • If the processing is illegal, the data subject can object to the deletion of personal data and instead request a restriction of the use of their personal data.
  • If Atea no longer needs the personal data, but it is required by the data subject to defend legal claims.

To exercise these rights, the data subject is welcome to contact Atea. Designated Data Protection Officer contacts for each Atea Business Unit can be found on Contact Information.

In the case of requests that are obviously groundless or excessive, especially due to their repetitive nature, Atea is entitled to charge an administration fee. In such cases, the data subject will be notified of this in advance.

Upon receiving a request to fulfill any of the Data Subject's rights, Atea will respond and take the necessary actions in accordance with the request within one month. In the event of a delay, Atea will inform the Data Subject of any extensions along with the reason(s) for the delay.

The data subject has the right to submit any complaints about the processing of their personal data to the national supervisory authority that refers to their country of residence.

Norway: Norwegian Data Protection Authority

Denmark: Datatilsynet

Sweden: Integritetsskyddsmyndigheten 

Finland: Tietosuojavaltuutetun toimisto

Lithuania: Valstybinė duomenų apsaugos inspekcija

Latvia: Datu valsts inspekcija

Estonia: Andmekaitse Inspektsioon

Cookies and tracking Technologies

When visiting any Atea website, information may be stored or retrieved on the browser, mostly in the form of cookies. This information might pertain to preferences or devices and is primarily used to make the site function as expected. While the information does not usually directly identify individuals, it can provide a more personalized web experience.

Cookies are widely used to "remember" preferences, either for a single visit (through a "session cookie") or for multiple repeat visits (using a "persistent cookie"). They ensure a consistent and efficient experience for visitors and perform essential functions such as allowing registration and remaining logged in. Cookies may be set by the site being visited (known as "first party cookies"), or by third parties, such as those who serve content or provide advertising or analytics services on the website ("third party cookies").

Atea uses cookies to personalize content and ads, provide social media features, and analyze traffic. Atea also shares information about the use of its site with social media, advertising, and analytics partners.

Websites are regularly scanned with a cookie scanning tool to maintain an accurate list. Cookies are classified into the following categories:

  • Mandatory Cookies
  • Functional Cookies
  • Marketing Cookies

A detailed list of the cookies we use on our websites can be found by clicking on the "Privacy settings" within the Cookie banner and checking the list of each category of cookies.

Each cookie category can be opted in based on individual preferences, and choices can be easily modified in the Privacy Settings if preferences need to be changed (opt-out).

Mandatory

These cookies are essential for the website's functionality and cannot be disabled in our systems. They enable enhanced functionality and personalization and may be set by us or by third-party providers whose services Atea has added to our pages. Typically, these cookies are set in response to actions that amount to a request for services, such as setting privacy preferences, logging in, or filling out forms. Blocking these cookies may impact the site's performance. They do not directly store personal information but are based on uniquely identifying the internet browser and device.

Analytics Cookies

These cookies enable Atea to monitor traffic and sources to measure and improve the site's performance. They help identify the most and least popular pages and understand how visitors navigate the site. All information collected by these cookies is aggregated and anonymous. Without these cookies, Atea's ability to optimize and analyze the site's performance will be limited.

Marketing Cookies

These cookies may be set through the site by advertising partners and social media services. Anonymized data can be shared with third parties to build a profile of preferences and display relevant adverts on other sites to friends and networks. They do not directly store personal information but are based on uniquely identifying the internet browser and device, which can be used to build a profile. Without these cookies, there will be less targeted advertising, and the sharing tools will not be usable or visible.

Third Party Access to Personal Data

Atea may disclose personal data to all companies within Atea Group (i.e., the ultimate holding company and all its subsidiaries) if it is reasonably necessary for the purposes stated in this Privacy Policy.

Only third parties with whom Atea has signed agreements and data processing agreements may have access to data subject’s personal data. These trusted third parties assist Atea in operating the site, conducting business, delivering ordered goods, or providing services. Third parties must agree to keep the information confidential and not use it for any purposes other than those agreed upon.

Links to Third Parties

Atea may, at its discretion, publish or offer third-party products on its websites. These third-party websites have their own independent privacy rules. Therefore, Atea takes no responsibility for the content and activities of these linked sites. However, to protect the privacy of its site, Atea welcomes comments on these websites.

Transfer to Third Countries

Personal data collected is stored within the European Economic Area (EEA) but may also be transferred to and processed in a country outside the EU/EEA. Atea uses vendors for mail, cloud services, antimalware, firewalls, authentication, etc., which may involve transferring and processing personal data outside the EU/EEA. Any such transfer is carried out in accordance with applicable laws. For transfers outside the EU/EEA, Atea uses Standard Contractual Clauses as an appendix to data processing agreements according to Chapter V of the GDPR.

Atea does not transfer the personal data provided to countries outside the European Economic Area (EEA) without explicitly informing about the transfer.

Policy Updates

Atea reserves the right to update or modify this Policy at any time. The most current version is published on atea.com, with the publication date noted at the bottom of this policy.

Contact Information

If data subject has any privacy concerns or need to escalate their privacy issues, please reach out to the designated Data Protection Officers in each Atea Business Unit as listed below:

Atea ASA: dpo@atea.com

Atea Norway: dpo@atea.no

Atea Denmark: dpo@atea.dk

Atea Sweden: dpo@atea.se

Atea Finland: dpo@atea.fi

Atea Baltics (Lithuania, Latvia, Estonia): dpo@atea.lt

Atea Global Services: ags.dpo@atea.com

 

Last updated: December 2024.