Privacy policy

This privacy policy has been prepared by Viking Assistance Group AS ("Viking," "we," "us," or "our") to provide you with information on how, why, and on what legal basis we process your personal data.

In addition, this policy describes the rights you have as a data subject under the EU's General Data Protection Regulation 2016/679 (GDPR) and Norwegian data protection legislation (collectively, "Data Protection Legislation").

This privacy policy applies to our processing of personal data in our role as a data controller. In addition to being a data controller, we also occasionally act as a data processor when we process personal data on behalf of our clients. For these processing activities, we refer to the respective data controllers' privacy policies for more information.

If you have questions, require more information about the personal data we process about you, or wish to exercise your rights, you can contact us at:

• Viking Assistance Group AS
• Drammensveien 133, 0277 OSLO
• contact@vikingassistance.com

Our Data Protection Officer can also be contacted at privacy@vikingassistance.com.

Personal data is any information or assessment that can be linked to a natural person or a small group of people ("data subject"). Examples of what is considered personal data include name, national identity number, address, telephone number, and email address.

Personal data may also include special categories of personal data (previously called "sensitive" data), such as information about health conditions, religious beliefs, ethnic origin, or information about a person's sexual relations or orientation.

By "processing" of personal data, we mean any operation performed on personal data, such as collection, storage, combination, erasure, and any other use.

This privacy policy covers our processing of personal data for the following categories of individuals:

• Visitors to our website
• Contact persons at our suppliers and partners
• Individuals who apply for a job or are otherwise considered for employment with us
• Individuals who order products or services from Viking, such as roadside assistance, travel assistance, or vehicle valuation

If you are a member with us, please find more information about how we process your personal data as a member here.

Visitors to our website

When you visit our website, we process the following personal data through the use of cookies:

• Location data, including IP address
• Device information, such as PC, mobile phone, or tablet. In some cases, we also process information about the device's brand, model, screen size, and name.
• The device's operating system
• Usage data, meaning we record how you use our website, which links you click, which pages you read, etc.
• Form data. If you fill out a contact form on our website, we register and store this information and use it to respond to your inquiry.
• Online store. Information about the products you purchase, delivery address, payment information, and order history.

The information processed depends on which cookies you have accepted when visiting our website. You can read more about our use of cookies in our Cookie Policy here.

Service Delivery

To deliver our products and services to you, we process the following categories of personal data:

• Your personal and contact information, such as name, driver's license details, address, phone number, and email address.
• Vehicle information, such as registration number, car make, model, service history, and other vehicle characteristics. We also process information on whether your vehicle is covered by a roadside assistance guarantee or other relevant warranties from the manufacturer or owner of the vehicle (e.g., if the vehicle is owned by your employer). If we have a cooperation agreement with your vehicle's manufacturer, we act as a data processor for the manufacturer when we retrieve information about your agreement from their customer registers.
• Incident information, including details about operational status, accidents, theft during travel, lost luggage, acute illness, and other events that require our assistance.
• Health data, for example, information about illness and injuries if relevant for us to be able to assist you.
• Location data, such as your location when providing you with roadside assistance or travel assistance.
• Insurance information, including policy number and other details we need to assist you or others covered by your insurance. If we have a cooperation agreement with your insurance company, we receive information about your customer relationship and insurance details from them. For this retrieval of information, we act as a data processor for the insurance company.
• Data from your interactions with us, which may include audio logs and recordings of conversations with our customer center, any consents you have given us, information you provide in our customer satisfaction surveys, and information you provide in inquiries and messages to us.
• Information about travel companions. In certain situations, it is necessary for us to process information about your travel companions, for example, to book return travel, a rental car, or other alternative transportation.
• Payment information, including your bank and/or credit card information used for your payments to us.

Contact persons at suppliers and partners

If you are our contact person or another employee we have direct contact with at one of our suppliers or other partners, we will process personal data such as:

• Your personal and contact information, for example, name, phone number, email address, job title, and other information about you and your employment that you or your colleagues have provided to us in connection with our collaboration.

Job applicants and recruitment

In connection with recruitment, we will process the personal data you provide during the recruitment process, including your name, contact information, education and work experience, current job title, etc. We will also process the name and contact information for any references you provide.

We use a recruitment system in our recruitment processes. You can read more about the processing of personal data in this system here.

When we are the data controller, we process your personal data for the following purposes:

• We process the personal data listed in section 5.1 to enable you to use our website, to improve your experience on the site, and to market and sell our products and services on both our own and third-party websites.
• We process the personal data listed in sections 5.2 and 5.3 above because it is necessary to establish and manage our customer or supplier relationships, for billing purposes, and to deliver our products and services to you or your employer.
• Payment and other purchasing documentation are also processed for purposes related to internal reporting and compliance with our bookkeeping obligations.
• We process the personal data listed in the section above to assess you as a potential employee and to form a sound basis for decisions in our recruitment processes.

When we are the data controller, we use the following legal bases to process your personal data:

• When you use our services and products, we process your personal data (as detailed above) because it is necessary to fulfill your insurance or roadside assistance agreement, as well as to deliver our products and services to you, pursuant to GDPR Art. 6(1)(b). In emergency situations, the basis for our processing may also be that it is necessary to protect your vital interests, pursuant to GDPR Art. 6(1)(d).
• If you are a contact person or other representative of one of our corporate clients, suppliers, or other partners, we process your data because it is necessary for purposes related to Viking's legitimate interests in interacting with our corporate clients, suppliers, or partners, pursuant to GDPR Art. 6(1)(f).
• If we process health data about you, it is based on your explicit consent, pursuant to GDPR Art. 9(2)(a), or, if obtaining your consent is not possible, to protect your vital interests, pursuant to GDPR Art. 9(2)(c).
• Any personal data included in purchase or other legally required accounting documentation, such as payment information, will be processed based on our legal obligations under applicable regulations, such as the Bookkeeping Act or tax legislation, pursuant to GDPR Art. 6(1)(c).
• We process the personal data described in section 5.5 for purposes related to Viking's legitimate interests, pursuant to GDPR Art. 6(1)(f), which is to recruit and hire suitable candidates for our business, and to document compliance with applicable regulations in recruitment processes, such as the Equality and Anti-Discrimination Act, pursuant to GDPR Art. 6(1)(c).
• If we have requested your consent to process personal data, you can withdraw this consent at any time. Without your consent to process health data, we will not be able to provide you with travel assistance if you need medical help.

We use and collaborate with several third parties. Where required, we have entered into data processing agreements with these parties, which oblige the respective companies to ensure that personal data is stored securely, not disclosed to unauthorised parties, and not used for purposes other than those we specify.

We will never sell your personal data to a third party. We use various service providers who supply IT and other administrative services to us.

Depending on the situation, your data may also be disclosed to:

• Insurance companies in connection with your insurance claim. This may include information about damages, health status, theft, accidents, repairs, suspicion of insurance fraud, and other relevant information.
• Our clients, such as car manufacturers, to fulfill the terms of our agreements with them if you have a claim for cost coverage from one of them.
• Police, road authorities, tax authorities, or other regulatory bodies that require the disclosure of personal data in accordance with applicable law.
• In emergencies or other specific cases, we may share your information with third parties to protect your interests and safety. This may include sharing information with emergency services or medical personnel in the event of an accident, as well as with rental car companies, workshops, towing stations, airlines, and hotels to organise transport, repairs, or accommodation.

If you are in a country outside the EU/EEA, it is possible that your personal data will be transferred to parties located in other countries so that we can fulfill the purposes stated in this privacy policy, for example, if you need emergency medical assistance while traveling. The level of protection for personal data in such countries may be lower than in the EU/EEA. Where possible under the circumstances, Viking will use the EU's standard contractual clauses and ensure that adequate security measures are in place to protect your personal data.

Viking has corporate accounts on several social media platforms, such as Facebook, X (formerly Twitter), Instagram, LinkedIn, and YouTube. The processing of personal data on these platforms is subject to the terms of use and privacy policies of each platform.

We use these accounts to promote and improve our products and services, and the legal basis for this legitimate interest is GDPR Art. 6(1)(f). If you contact us via one of these accounts or wish to share some of the content we publish, we will be able to see basic account information such as your name and email address. We will respond to you on the same platform and process personal data in connection with such communication. You are free to stop following our accounts or delete your comments and messages. Note that unfollowing our accounts does not automatically delete your personal data.

Please be aware that these providers engage in international data transfers to the United States. We encourage you to read their privacy policies to learn more about how they process your personal data.

When you use Facebook, we also receive aggregated statistical reports from Facebook via a service called Facebook Insights. This service allows us to monitor the activity on our account. These reports contain no personal data and are completely anonymous to us, but in connection with this service, we act as joint controllers with Meta Platforms, Inc. You can find more information about Facebook Insights here.

We will delete or anonymise personal data when it is no longer necessary for the purpose for which it was collected, in accordance with the following deletion routines:

• Personal data related to case management or the delivery of our products and services will be processed until the relevant case is closed and will then be anonymised after 5 years.
• For insurance claims and travel assistance, separate retention requirements apply, and we refer to the insurance companies' privacy policies in this regard.
• If we store audio recordings, they will be kept for a maximum of 3 months.
• Purchase documentation and invoice information will, depending on the nature of the documentation, be stored for either 3 years and 6 months or 5 years, in accordance with the Norwegian Bookkeeping Act.
• Information about job applicants who are not hired will be deleted six months after the recruitment process is completed. If you provide your consent, we may process your personal data for a longer period to contact you about any future job vacancies.

If we process your personal data, you have several rights under the Data Protection Legislation that you can assert against us.

• You have the right to access the personal data we process about you, including the right to receive a copy of this data.
• If you believe the information we have registered about you is incorrect, you have the right to request its rectification.
• You have the right to request that your data be deleted from our systems, which we are obliged to comply with under certain conditions.
• If you have objections to our processing of your data but do not want it deleted for reasons related to ongoing processes, you can request the restriction of processing. In such cases, our processing will be limited to necessary storage only.
• Where our processing of your data is based on legitimate interests (see section 7 above), you have the right to object to the processing. If you object, we must cease the processing in question, unless there are compelling legitimate grounds to continue.
• Where our processing of your data is based on your consent or our agreement with you, you have the right to data portability, meaning you can receive this data in a structured, commonly used, and machine-readable format, either for yourself or for direct transfer to another third party.

Please note that there are exceptions and further conditions for the rights described above, and not all rights will be relevant in all our interactions. You can read more about your rights on the website of the Norwegian Data Protection Authority here.

If you wish to exercise any of your rights, please contact us as indicated in section 2 above. Please be aware that we may need to ask you to verify your identity, as we must ensure that you are who you claim to be. We will respond within 30 days or notify you if we need more time.

Viking does not use automated decision-making that has a legal or similarly significant effect on you or your privacy rights.

The Norwegian Data Protection Authority, complaints, and applicable legislation

The Norwegian Data Protection Authority (Datatilsynet) is responsible for supervising compliance with data protection regulations and overseeing the processing of personal data by Norwegian companies.

You can contact us at any time if you have complaints regarding our processing of your personal data. You can also file a complaint with the Norwegian Data Protection Authority or a supervisory authority in the EU/EEA country where you live or work, or where the alleged infringement took place. Contact information for the Norwegian Data Protection Authority can be found on their website, [here]. On their website, you will also find further information about our obligations under the applicable Data Protection Legislation.

The current version of the Data Protection Legislation is available on Lovdata. The Personal Data Act and GDPR can be found here.

We may revise this privacy policy from time to time, for example, as a result of changes in our processing of personal data or changes in the Data Protection Legislation. When the privacy policy is changed, an updated version will be published on our website.

This privacy policy is effective from the date indicated at the top of the document.