SafeSpot is a service made available by EYD AS, a limited liability company registered under the laws of Norway (Registered business no. 922 142 009). SafeSpot is a service developed and offered related to the coronavirus pandemic which may cause COVID-19 (the “Service”) on a non-profit basis for personal users and a for-profit basis for businesses. We may, from time to time, enhance the Service and/or provide additional functionality. The purpose of the Service is to provide services to citizens, businesses, and national health authorities, that may support the preventing work in the spreading of the coronavirus. By using the Service and by registering your information, you accept these terms (the “Terms”) and to comply with them. Information on the processing of your personal data is provided below.
The Terms for the use of the Service is set out below, including information for the processing of your personal data in connection with use of the Service. We may amend both the Terms and information provided herein from time to time. You will be notified in the event of significant changes. The most up-to-date version of these Terms is available on our website.
We strongly encourage you to follow and comply with the information provided by official national authorities in your country or jurisdiction. No information provided by or accessible through the Service shall be considered as a replacement for tests, the providing of information or information provided by official national authorities. Our providing of information to the business or the national health authorities is contingent on the correctness of the information. We, therefore, request you to provide correct and truthful information about yourself and to only use the Service for lawful purposes. We may terminate your user account in the event of a breach of these Terms, and we reserve our right to indefinitely block, restrict or terminate access for user accounts that we suspect are used for malicious intents. We also reserve the right, subject to our sole discretion, to implement measures, take down or make the Service unavailable for any reason. We retain ownership to the Service and all intellectual and industrial property rights vested therein or related thereto.
EYD AS is the controller of the personal data under the Service. When we transfer data, as described below, the receiver of the data will be the controller of the data received. As part of the Service, we will collect personal data from you. What data we collect, how we use your data, how we protect your data and how we, as well as your rights in this respect, is set forth below. As a data controller, we are responsible for ensuring the use of personal data in accordance with applicable data protection legislation. We value your privacy and will not use or share your information with third parties, except as described in these terms. What data do we collect about you? When you register to use the Service, you will be asked to provide information about yourself. When doing so, we will collect the data provided through the use of such form. This data may include (dependant on the information you provide):
Please note that information such as whether you have symptoms of infection or is confirmed as infected, as well as other information that concerns or may reveal anything about your health, is considered health information, which is a special category of personal data pursuant to General Data Protection Regulation (GDPR) Article 9. For the features of the Service in which collects such data, we need your express consent to process it, as further described below.
If you have signed up for our newsletter. We use Mailchimp for newsletters. In mailchimp we may store your email, time of subscription for the newsletter and your IP-adresse. You may choose freely to subscribe to our newsletter and you may unsubscribe at any time by following the unsubscribe link in the email. If you choose to unsubscribe your information will be deleted.
Processing, inclusive storage:
When you provide us with your personal data in the Service as described above, your data will be processed by us. We do this to be able to provide you with the Service, access to your user account and to fulfill the purposes set out below. For those purposes, we will process the personal data you submit to us, including your status reports which may contain health data. We will only process your personal data if you have given us your prior expressed consent to process it for the mentioned purposes.
To provide information to a SafeSpot business:
A business may use the Service to create “SafeSpot” locations to be able to register visitors at such locations for the purpose of contact tracing. If you choose to register at a SafeSpot location we will provide the business with your primary contact information such as name, phone number and/or email address, your confirmation of health (no symptoms); or the businesses confirmation of your informed notification otherwise (no specific data of such will be recorded) made at the registration, and the given date and time period of your presence at that location.
When registering to a SafeSpot location, you may be alerted in the case of a suspected or confirmed infection at the given SafeSpot location. The business may contact you and/or provide your registered information to the health authorities in charge of contact tracing.
A business may also use the Service to request the status and actions of its employees through the Service. If you are responding to such request, we will take the necessary measures to protect your health-related data and will not provide your employer with any such data. The employer may be provided with aggregated data of their employees’ health-related status if applicable. Your data is only transferred to your employer if you have consented to such transfer and explicitly responding to such request.
To transfer information to national health authorities:
In the case of confirmed infection connected to a specific SafeSpot location and for the purpose of contact tracing, we may share your name, contact information and time of your check-in at a given SafeSpot with national health authorities in your country if such that authority requests it.
To aid such authorities with up-to-date information, overviews and status regarding the spread of the virus, we may also share other information of your recent status updates, given that you have consented to such sharing. Such consent is collected if you update your status in the Service through your created user account.
If you do not consent to share your personal information, we may share anonymised tracking data and statistics to the health authorities, if requested. Your personal data will be analysed by us in a suitable manner before being shared. In the case the national health authorities in the country or jurisdiction you have registered in the Service require us to do so based on local regulation, we may also share your personal data as necessary for reasons of public interest in the area of public health to the extent allowed by law. You will always be noticed prior to the sharing of your data to your national authority, giving you the opportunity within a reasonable time to delete or change your data or withdraw your consent.
For the purpose of transfer to the national authority, we may transfer all categories of personal data mentioned above (your name, date of birth, location, date of registry and contact information, what actions you have taken against the virus and your health data, e.g. your COVID-19 status such as symptoms and test status).
Statistics and public information:
We may also use your personal data to create and provide anonymised and/or aggregated statistics regarding the current COVID-19 pandemic, which will be accessible to the public and/or to other users of the Service. Statistical information will also be stored after the COVID-19 pandemic has ended. We will only analyse and use your personal data, including health data, based on your explicit consent for statistical purposes to provide the public with information on the COVID-19 pandemic. The anonymising and/or aggregating of your personal data is based on your consent which is given when you submit your status. Any data which is anonymised and/or aggregated will not be personal data after the anonymisation and/or aggregation of data, as the data will not be possible to trace back to individual persons.
For this purpose, we process all categories of data mentioned above, except your name and contact information (i.e. we process your date of birth, location, date of registry, what actions you have taken against the virus and your health data: your COVID-19 statuses such as symptoms and test status).
To contact you:
We may also process your contact information (such as email and name) to contact you and to provide you with information regarding the Service or updates thereto, the COVID-19 pandemic, or to reply to your inquiries.
How long do we store your data?
Your personal data will not be retained for longer than necessary for the purposes mentioned herein. This means that when our relationship with you is terminated, or you withdraw your consent for one or several purposes as described above, we will delete your personal data.
If you register yourself at a SafeSpot or report your status, your data will be stored for 14 days. After 14 days, the personal data will no longer be available for the SafeSpot business, and all personal data will be deleted if not connected to an active user account.
I you choose to create a user account, your data will be stored as long as you have an active use of such account. Inactive accounts will be deleted and all personal data anonymised after six months.
Is my data shared with third parties?
We will only share your personal data with registered SafeSpot businesses or national health authorities, as described above. Your registered data related to a SafeSpot will only be available for such businesses through the Service for 14 days. We may also share data in an anonymized form to any third parties that may be able to utilize such anonymized data to contribute to the global effort against the COVID-19 pandemic as described above.
How do we protect your personal data?
We have implemented appropriate technical and organisational measures to ensure a sufficient level of security when processing your personal data and to prevent loss or unlawful processing. Such measures are, for example, internal routines, data processing agreements, encryption and anonymization, confidentiality agreements and IT-security procedures to verify access rights. We will also carry out data protection impact assessments when it is likely that processing of your data may result in high risk with respect to your rights and freedoms in relation to your personal data, in particular your health data.
Your rights with respect to the processing of personal data
Your rights with respect to your data include the right to access, rectification, erasure, restriction, objection to the processing and the right to appeal to local data protection authorities.
You may have access to your personal data either by accessing your dedicated page in the Service, where all the personal data you have provided is accessible. In addition, you may contact us to have access to your personal data, provided that you are able to identify you as the registered person for the data.
If there are errors in your personal data, you have the right to have the data corrected. You may correct your data by accessing your page in the Service and correct your data yourself. Or you may also contact us for having the data corrected.
As set forth above, you can delete your data either on your page in the Service, or withdraw your consents for processing of your personal data, which you entitled to do at any time. You can also delete your data by contacting us directly, provided that you are able to identify yourself as the registered person for the data.
If you do withdraw your consent(s), your personal data will be deleted, and to submit your status at a later point, you have to re-register to the Service.
If you suspect or consider us to breach your privacy or personal data regulation, you may contact the Norwegian Data Protection Authority (Datatilsynet), which is the Supervisory Authority for EYD as the data controller. Contact information is available here: www.datatilsynet.no.
How can you contact us? Please contact us if you have any questions or comments or if you wish to exercise your rights.
Our contact details are: EYD AS, Norway – firstname.lastname@example.org