Personal Data Protection Policy for Folk AS



1.0 Purpose of the Personal Data Protection Policy

The purpose of the Personal Data Protection Policy is to document how Folk performs its role as data controller of personal data, and that we do so in accordance with the requirements set out in applicable legislation.

2.0 Categories

Folk AS is the data controller for all the personal data we register and process, which are mainly related to the following categories of data subjects:

  • Jobseekers
  • Employees and hired personnel
  • Users of our website


Folk AS is the data processor for the personal data we register and process, which are mainly related to the following categories of data subjects:

  • Employees of our customers and suppliers.

3.0 Personal data

We register and process the following personal data:

  • Contact information (such as name, postal address, e-mail address and telephone number, etc.)
  • User name and password when you register in our recruitment management system
  • Information about persons you want us to contact as references
  • Other information you may provide, such as in questionnaires or via the ‘Contact us’ function on our website

If you apply for a position with us, we may also collect the following personal data:

  • A summary of previous positions and education
  • Language skills and other job-related skills
  • Date of birth
  • Gender
  • Citizenship and work permit status
  • National ID card details
  • Health-related information, when relevant for positions
  • Background checks
  • Tax-related information
  • Information from references
  • Information contained in CVs, information you provide regarding career interests, and other information regarding qualifications for appointments

When you acquire the status of ‘Employee’, we will also collect the following information:

  • Personal identity number/other government-issued ID number
  • Bank account details
  • Next of kin to be contacted in an emergency



Sensitive personal data
Processing of sensitive personal data; cf. the General Data Protection Regulation, Article 9:

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.


Paragraph 1 shall not apply if one of the following applies:


a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;


(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.


We encourage all applicants and employees to review their CVs, applications and any other documentation that has been uploaded to Recruitment Manager, and to remove sensitive personal data that are unnecessary when applying for positions in Folk.


Sensitive personal data which you have disclosed to Folk may be used in dealings with customers in connection with job searches and assignments. You give your consent by ticking to confirm that you have read and accepted our Terms of Use and Personal Data Protection Policy when creating your profile in Recruitment Manager.


Separate consent will be sought for sensitive personal data beyond that which you have personally shared with Folk in your profile.

4.0 Sources

Personal data that are registered and subsequently processed by us are obtained from two sources:

  • Directly from the individuals concerned, as provided by them.

This concerns personal data which you personally choose to register with us. This may happen directly through our online recruitment management systems, by telephone, letter post, e-mail or in face-to-face meetings, and may subsequently be registered by us in our recruitment and HR systems.

  • Indirectly via automated collection.

When you visit our website, we may collect certain information automatically via cookies (information capsules), web beacons and web server logs. Information collected in this manner can include IP addresses, unique identifiers, web browser properties, device properties, operative systems, language settings, referring URLs, website visitor behaviour, date and time of visits to our website and other user statistics.


5.0 Application

Personal data that are provided directly by individuals are used for the following purposes:

  • Offer staffing solutions and find people employment
  • Create and administer online accounts
  • Perform payments/payroll disbursements
  • Manage relationships with customers and suppliers
  • Distribute advertising material, send notifications of job vacancies and other communication
  • Inform about, and administer participation in, special events, marketing, programmes, offers, questionnaires, competitions and market surveys
  • Reply to enquiries from individuals
  • Operate, evaluate and enhance our business activities (including developing,
    strengthening, analysing and improving our services, administering communication, perform data analyses, and performing accounting, auditing and other internal functions)
  • Protect against, identify and try to prevent fraud and other illegal activities, legal claims and other liabilities for damages
  • Comply with and support applicable statutory regulations, relevant industry standards, contractual obligations and our policies

If you are an employee or are applying for a position, we will also use the information described above in connection with:

  • Offering you job opportunities and employment
  • Managing HR administration, including administration of terms, pay, performance monitoring, etc.
  • Offering you other services, such as training, career guidance and help with changing jobs
  • Assessing your qualifications for positions
  • Performing data analyses such as: (i) analysing our database of jobseekers and employees; (ii) evaluating individual capabilities and job-related skills; (iii) identifying needed skills; (iv) using information to find individuals and prospects; and (v) analysing (labour market trends)

Personal data that are registered indirectly and automatically are used for the following purposes:

  • Administering and further developing our website
  • Distributing targeted questionnaires

Should we collect and/or wish to use personal data in ways other than those mentioned above, we will inform you accordingly and, if required by law, obtain your personal consent to do so.

6.0 Sharing of personal data

We share no personal data with third parties beyond that specified below.

We share personal data with third parties if, on our instructions, they are going to perform services related to our agreement with you; for example with customers who have job vacancies or who are interested in considering you for a position, with our suppliers in connection with verifying CVs, and in connection with payroll and accounting systems.

You should be aware that the personal data legislation imposed on customers in other countries with whom we share your personal data, may deviate from that in Norway.

Moreover, we may be legally obliged to disclose your personal data to Norwegian legal authorities or to other Norwegian government bodies. The same applies if we deem it necessary or appropriate to do so to prevent physical damage or financial loss, or in connection with suspected illegal activity.

We reserve the right to transfer your personal data to another legal person if we reorganise, sell, terminate or transfer all or part of our activity. In such cases we are obligated to obtain documentation that the acquiring legal person undertakes to meet the requirements for protecting personal data under Norwegian law.

7.0 Security

We maintain administrative, technical and physical security measures that have been developed to protect the personal data you provide against accidental, unlawful or unauthorised deletion, loss, alteration, access, disclosure or use.

We have entered into data processor agreements with our IT system providers. We use access control matrices to ensure that only those with a need to access our systems can do so. We have sound procedures in place for securely processing personal data, and for correcting and deleting information.

Dataoppdrag AS operates and maintains our cloud-based system. To ensure that registered personal data are processed in compliance with our personal data protection policy and the law, Dataoppdrag only grants access rights to employees who need access in order to provide the agreed services. Employees with access rights are also subject to internal procedures for processing personal data, and all Dataoppdrag employees have signed
confidentiality agreements.

8.0 Your rights and options

You have the right to access, update, correct and delete your personal data, in accordance with the Act relating to the Processing of Personal Data.

You may make corrections or delete your entire profile in Recruitment Manager until you acquire the status of «Employee» in our system.

When you acquire the status of «Employee», you may correct and delete anything you have personally registered or uploaded. You may do this without involving or asking Folk. The rest of your employee profile will contain documentation about payroll history, employment contracts, and job descriptions for the assignments you have carried out as an employee of Folk, and will be retained for up to five years after your final pay
disbursement, due to the Accounting Act and the company’s need for historical data.

After this period you entire profile will be deleted.

If your profile in Recruitment Manager, our candidate management system, has been passive for 12 months, you will receive notification of deletion four weeks before deletion is carried out. To avoid deletion, you must log into your profile by the deadline so that it continues to be registered as active. You may also delete your profile yourself.

You can protect your personal data interests at all times by contacting us. For example, you may request:

  • A complete summary of the personal data we have registered about you
  • A complete summary of the personal data we have shared with others
  • Withdrawal of previous authorisations
  • That incorrect personal data which you cannot correct yourself be corrected
  • More information about our personal data policy and our personal data protection procedures

By contacting us, you can choose from the options we provide to decide:

  • How we collect personal data about you
  • Which personal data you wish to have updated
  • Which personal data you wish to have deleted

You can enquire about these issues by sending an e-mail to our GDPR coordinators Ida Marie Lien ( or Tone Hundvin ( Alternatively, you can e-mail your point of contact here at Folk or call us on telephone (+47) 55 19 80 70.

9.0 Updates

Our personal data protection policy will be updated as required by law or to accommodate revisions to our personal data protection policy. Notification of any major changes will be clearly published on our website.