Skip to main content

Processing of (personal) data by the entity in charge of the online application process

Privacy Policy

This Privacy Policy provides information about how Norvestor processes personal data when you use this website and when we provide our services.

The Norvestor entity in the jurisdiction where you operate is responsible for ensuring that we process your personal data in compliance with applicable privacy laws, including the General Data Protection Regulation (EU) 2016/679 (often referred to as GDPR) and national data protection regulations in jurisdictions where we process personal data. It is this company we refer to when we use terms as “we”, “us”, or “our” in this policy.

If we make significant changes to our Privacy Policy or to our privacy practices, an updated version of this Privacy Policy will be made available to you.

Personal data

Norvestor will process personal data for the purpose of:

The hiring process: such personal data include general information, contact information and professional information, such as application, degree certificate, interview form, personality test, credit rating, pre-employment screening and other information relevant to assess whether you are qualified for the position. The legal basis for this processing is the GDPR article 6 (1) b, whereas the processing is necessary for the preparations prior to entering into the employment contract. Our employer branding and recruitment process is managed through our career site; more information on the processing of personal data submitted through our career site can be found here[AMT/B1] .


Assess whether you are fit and have the qualifications required for the relevant position. For certain positions, such personal data may include information regarding bankruptcy proceedings, fines and penalty charges, criminal investigations, indictments, convictions, and additional tax. The legal basis for this processing is the GDPR article 9 (2) b, and article 6 (1) b, whereas the processing is necessary for the purpose of carrying out the obligations and exercising the rights in the field of employment in relation to the engagement. Under the GDPR such personal data are considered special categories of personal data, and special measures will be taken to ensure adequate data protection for these personal data.

Complying with legal obligations. Such personal data may include information related to AML/KYC, own-account trading, gifts and contracts with suppliers and service providers. The legal basis for this processing is the GDPR article 6 (1) c, whereas the processing is necessary for the purpose of compliance with legal obligations.


Conducting due diligence on potential new investments by funds advised or managed by Norvestor. For certain investments, Norvestor may be provided with data containing personal data related to employees, board members, clients, sellers, and other individuals. The legal basis for this processing is the GDPR article 6 (1) f, whereas the processing is necessary for the purpose of legitimate interests.

Assisting business partners and other third parties with AML/KYC controls (know your customer processes). Norvestor may retain a copy of the passport for business partners who have explicitly consented to this. The legal basis for this processing is the GDPR article 6 (1) a and f, and 9 (2) a whereas this particular processing is based on consent.


Assisting potential and existing investors in a due diligence process and classifying investors. This may involve the collection of personal information, such as the individual's name, role, education, age, experience, contact details and similar details. The purpose of assisting potential investors is to facilitate fundraising and investments, including performing due diligence and closing. The legal basis for this processing is the GDPR article 6 (1) f, whereas the processing is necessary for the purpose of legitimate interests. Classifying investors is to sort out professional investors in accordance with MiFID and make sure that potential investors have access to sufficient information to make informed investment decisions regarding a fund or portfolio company managed or advised by Norvestor. The legal basis for this processing is the GDPR article 6 (1) c, which allows for the processing of personal data when it is necessary for compliance with a legal obligation to which the controller is subject.

Access control: such personal data include information relating to the access control system, such as entries, and activation and blocking of admission cards. The legal basis for this processing is the GDPR article 6 (1) f, whereas the processing is necessary for the purpose of legitimate interests. The legitimate purpose pursued is the need to ensure safety and prevent unauthorised access.


  • Website use: Norvestor collects and retains personal data through cookies for a limited duration, typically during your website visit. Upon revisiting, we may access cookies and previously stored personal data. We only use cookies that are necessary for the proper functioning of the website, such as preventing unauthorized actions and maintaining a secure browsing environment. The legal basis for these cookies is based on GDPR Article 6 (1) f for legitimate interests – ensuring safety and preventing unauthorized access. The cookies placed on your device have varying lifespans, ranging from 30 seconds to 1 year. For detailed information on the duration of storage for each cookie on your device, please refer to section 5.
The personal data is collected directly from you, or from other sources, including publicly accessible sources such as public registers and the internet, within the framework of applicable law.

Data security and retention

Norvestor is required to prevent unauthorised access to your personal data. We utilize reasonable and appropriate physical, technical, and administrative procedures and measures to safeguard the personal data we collect and process.
Norvestor will not retain your personal data longer than necessary and will assess the need for retention of personal data on an ongoing basis. Unnecessary personal data will therefore be deleted when retention is no longer necessary, or if the legal basis for the processing activity is based on consent, when your consent is withdrawn.

Use of service providers

Norvestor may provide its service providers access to the personal data if they provide services such as maintenance, operations, or other technical or AI solutions to Norvestor. To safeguard your rights pursuant to the applicable national personal data regulations, Norvestor has entered into data processing agreements with the service providers who may gain access to or process personal data on behalf of Norvestor. Our service providers are not entitled to make use of the personal data for other purposes than those set out in this Privacy Policy. Our service providers have an equal obligation to enter into a data processing agreement with their respective service providers (sub-processors), ensuring that the sub-processors are imposed the same obligations as the service providers.
In the event that a service provider is located outside of EU/EEA, Norvestor will ensure that sufficient safeguards are implemented in order to ensure that such transfer is safe and in accordance with the applicable national personal data regulations.

Disclosure to third parties

Norvestor will only disclose personal data to third parties if (i) such disclosure is required by the GDPR or is in accordance with national data protection regulations, and (ii) the disclosure is made for the purposes set out in this Privacy Policy. Such third parties may include banks, financial and legal advisors, and national tax authorities. In addition, Norvestor may disclose personal data to funds managed or advised by Norvestor, including their affiliates, on a need-to-know basis, subject to the provisions in (i) and (ii) above.
Norvestor may disclose personal information, including passport details and proof of address, pertaining to business relations (e.g., investor, business partner etc.), to third parties such as airline companies, foreign immigration authorities, embassies, and other institutions mandated to conduct AML/KYC controls. Additionally, Norvestor may share personal information, specifically passport details and proof of address, with reporting entities, including companies, organizations, and institutions bound by legal obligations to perform AML/KYC controls (know your customer processes). The processing of this information is based on the explicit consent of the individual, as outlined in article 6 (1) a and f, and article 9 (2) a, allowing the data subject to withdraw consent at any time.
Norvestor may disclose personal data related to employees, former employees, and business relations to potential investors. The processing of this information is based on the legitimate interest of Norvestor, as outlined in article 6 (1) f.
Norvestor may disclose personal data relating to candidates to our recruiters. The processing of this information is necessary for the preparations prior to entering into the employment contract, as outlined in article 6 (1) b.
Norvestor may disclose personal data to our newsletter service provider Apsis. We have an agreement with Apsis regarding distribution of newsletters and other relevant information on behalf of Norvestor. For Apsis to distribute the newsletters, we must share some of your contact details with Apsis. The processing of this information is based on the legitimate interest of Norvestor, as outlined in article 6 (1) f.
In the event that a third party is located outside of EU/EEA, Norvestor will ensure that sufficient safeguards are implemented in order to ensure that such disclosure is safe and in accordance with data regulations.

Your rights

You have the right to request access to, and rectification or erasure of your personal data. You also have the right to request restriction of the processing, object to the processing, and to request data portability. For further information on these rights, please see:
the Norwegian Data Protection Authority (Datatilsynet) website: www.datatilsynet.no
the Luxembourg National Commission for Data Protection (CNPD) website: www.cnpd.public.lu
the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten) website: www.imy.se
the Finnish Office of the Data Protection Ombudsman (Tietosuojavaltuutetun Toimisto) website: www.tietosuoja.fi
the Danish Data Protection Agency (Datatilsynet) website: www.datatilsynet.dk
the German Federal Commissioner for Data Protection and Freedom of Information (BFDI) website: www.bfdi.bund.de
the United Kingdom’s Information Commissioner’s Office (ICO) website: www.ICO.org.uk
If a processing activity is based on your consent, you have the right to withdraw your consent at any time.
To exercise your rights, you may contact us at Privacy@norvestor.com. We will respond to your request as soon as possible, and no later than 30 days.
If necessary, we may ask you to confirm your identity or to provide further information before we allow you to exercise your rights. This is to ensure that we only give access to your personal data to you, and no one else.
Complaints regarding processing of personal data may be submitted with the relevant National Data Protection Authority.

The data controller

When the Norvestor entity, in the jurisdiction where you operate, is the data controller for the processing activity. Any questions regarding this Privacy Policy and our privacy practices should be sent by e-mail to Privacy@norvestor.com. Inquiries in relation to the rights set out in section 3 above should be sent to Norvestor in the same manner.
The following Norvestor entities are the data controller for the designated jurisdictions:
Norvestor Advisory Aps (Denmark)
Norvestor Advisory OY (Finland)
Norvestor Advisory AB (Sweden)
Norvestor Advisory AS (Norway)
Norvestor Advisory GmbH (Germany)
Norvestor Advisory Ltd (United Kingdom)
Norvestor Investment Management S.a.r.l. (Luxembourg)

Cookies

This section provides an overview of how cookies are utilized on our website to enhance your browsing experience.
CRAFT_CSRF_TOKEN Cookie
The "CRAFT_CSRF_TOKEN" cookie is used for security purposes to prevent unauthorized actions on our website and maintaining a secure browsing environment.
1031b8c41dfff97a311a7ac99863bdc5_identity
The “1031b8c41dfff97a311a7ac99863bdc5_identity” cookie is used for user authentication and session management on our website.
Norvestor
The “Norvestor” cookie is used for tracking and analyzing user interactions for the proper functioning of the website.
1031b8c41dfff97a311a7ac99863bdc5_username
The “1031b8c41dfff97a311a7ac99863bdc5_username” cookie is used for storing the username of the logged-in user for personalized browsing experiences and easy access to their account.

[AMT/B1]Hyperlink to career site privacy policy included. However, it is also possible to just write that it can be found on the career site.



 



Processing of (personal) data by the operator of the recruitment website

General information

This recruitment website is operated by Personio SE & Co. KG, which offers a human resource and candidate management software solution (https://www.personio.com/legal-notice/). Data transmitted as part of your application will be transferred using TLS encryption and stored in a database. The sole controller of this data within the meaning of article 24 of the GDPR is the enterprise carrying out this online application process. Personio’s role is limited to operating the software and this recruitment website and, in this context, being a processor under article 28 of the GDPR. In this case, the processing by Personio is based on an agreement for the processing of orders between the controller and Personio. In addition, Personio SE & Co. KG processes further data, some of which may be personal data, to provide its services, in particular for operating this recruitment website. We will refer to this in more detail below.

The controller

The controller under data protection law is:
Personio SE & Co. KG
Seidlstraße 3
80335 München
Tel.: +49 (89) 1250 1004
Entry in the commercial register
Commercial register entry number: HRA 115934
Registration Court: Amtsgericht München
Data Protection Officer contact: privacy@personio.com

Access logs (“server logs”)

Each access to this recruitment website automatically causes general protocol data, so-called server logs, to be collected. As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. Without this data, it would, in some cases, be technically impossible to deliver or display the contents of the software. In addition, processing this data is absolutely necessary under security aspects, in particular for access, input, transfer, and storage control. Furthermore, this anonymous information can be used for statistical purposes and for optimizing services and technology. In addition, the log files can be checked and analyzed retrospectively when unlawful use of the software is suspected. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. Generally, data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp of the access to the software is collected. The scope of this log process does not exceed the common log scope of any other site on the web. These access logs are stored for a period of up to 7 days. There is no right to object to this.

Error logs

So-called error logs are generated for the purpose of identifying and fixing bugs. This is absolutely necessary to ensure we can react as quickly as possible to possible problems with displaying and implementing content (legitimate interest). As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. When an error message occurs, general data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp upon occurrence of the respective error message and/or specification is collected. These error logs are stored for a period of up to 7 days. There is no right to object to this.

Use of cookies

So-called cookies are used on parts of this recruitment website. They are small text files which are stored on the device with which you access this recruitment website. As a general rule, cookies serve the purpose of ensuring secure access to a website (“absolutely necessary”), implementing certain functionalities such as standard-language settings (“functional”), improving the user experience or the performance of the website (“performance”), or placing targeted advertisements (“marketing”). On this recruitment website, we generally use only cookies that are absolutely necessary, functional or performance-related, in particular for implementing certain default settings such as language, for identifying the job advertising channel, or for analyzing the performance of a job advert via which a user accessed this recruitment website. The use of cookies is absolutely necessary for providing our services and thus for the performance of the contract (article 6 (1) b) of the GDPR). Period of storage: up to 1 month or until the end of the browser session Right to object: You can determine via your browser settings whether you allow or object to the use of cookies. Please note that deactivating cookies may result in limited or completely blocked functionalities of this recruitment website.

Rights of data subjects

If Personio SE & Co. KG as the controller processes personal data, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and the purpose of the processing, in particular the right of access (article 15 of the GDPR) and the rights to rectification (article 16 of the GDPR), erasure (article 17 of the GDPR), restriction of processing (article 18 of the GDPR), and data portability (article 20 of the GDPR), as well as the right to object (article 21 of the GDPR). If the personal data is processed with your consent, you have the right to withdraw this consent under article 7 III of the GDPR. To assert your rights as a data subject in relation to the data processed for the purpose of operating this recruitment website, please refer to Personio SE & Co. KG’s Data Protection Officer (see item B).

Concluding provisions

Personio reserves the right to adjust this data privacy statement at any point in time to ensure that it is in line with the current legal requirements at all times, or in order to accommodate changes in the services offered, for example when new services are introduced. In this case, the new data privacy statement applies to any later visit of this recruitment website or any later job application.