NADAexpress and GDPR


The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the EU and the EEA. It became enforceable from 25 May 2018. The GDPR aims primarily to give control back to citizens and residents over their personal data.

NADAexpress stores and uses personal data to a very limited extent, without unique identifiers that would otherwise allow linking to other personal data, and in compliance with the GDPR. Further details are described on the rest of this page.

Company data and contact person data

The NADAexpress service is intended for businesses and other organizations, and not for individuals in an end-user marked. In order to use NADAexpress, businesses and organization have to register as users. However, a mandatory – in other words: not required – part of this registration is to enter data for a contact person. The data entered for a new user – containing data for the business/ organization as such as well as for its contact person – is stored together as user data.

The contact person data contains these elements:
  • First name
  • Surname
  • Department
  • E-mail address
  • Phone number

It is important to note that these data contain no unique identifier for the contact person. Therefore, linking NADAexpress contact person data uniquely to personal data from other sources will be complicated or indeed impossible.

How is the data used?

When an ad producer sends an ad by NADAexpress, business/organization data as well as any contact person data registered, will be placed in a Job Ticket that is sent either integrated into the ad file or in separate files along with the ad. For each ad the sender may override the registered contact person data with data for an alternative contact person.

Why use contact person data in the first place?

Having data for a contact person among the user data is very useful. If either NADA or the newspapers or magazines that receive the ads experience problems or have questions related to an ad, being able to contact the person that sent the ad directly is much more efficient than just contacting the main office of the business or organization. Storage and editing of the data

The data is stored on NADA’s server in an SQL database from OpenBase. Backup is taken regularly, and protection against hacking and data break-ins and other unauthorized access is on a more than adequate level. User data, including the contact person data, is stored in a separate table in the data base. User data values used in job tickets – along with other data for the ad and the transfer in question – are stored in another table.

User data may be edited at any time directly in the NADAexpress service, of course only by the registered user itself. As the contact person data part of the user data is not mandatory, these may be deleted at any time. User data / contact person data included in stored copies of previously sent job tickets may not be edited later on. This is necessary for the User log to be true.

Compliance with the GDPR

Below is a brief overview of NADAexpress’ compliance with the central requirements of the GDPR.

1. Consent

Businesses not based on legitimate interest cannot handle personal data for individuals unless the individual has given his or her specific, informed and clear indication of consent.

The Statement of Compliance that has to be accepted when registering as a NADAexpress user, together with the accompanying text, constitutes such an informed consent.

2. Right to access

The law grants individuals access to their personal data, and the right to know how the business will use the information it has collected. Upon request, the business has to supply a copy of the personal data, free of charge and in a digital format.

NADAexpress users may at any time log inn and edit or delete the contact person data part of the user data. The use of the data is described higher up on this very page. Users may at any time take a digital copy of the user data by simple copy-and-paste operations.

3. The right to be forgotten

If an individual no longer is a customer, or withdraws a previously given consent to use personal data, the individual has a right to have the personal data deleted.

Registered users may at any time delete personal data by editing the user data.

4. Data portability

An individual has a right to have data transferred from one supplier to another, in a general and digital format.

Current status for NADAexpress:
  • There are no suppliers of similar services in Norway.
  • The personal data in NADAexpress is not linked to the individual by a unique identifier, so such a transfer would be impossible anyway.
5. The right to be informed

This goes for all kinds of collection of personal data done by businesses. Individuals must be informed before the data is collected, and individuals must give active consent to such data collection.

Sufficient information about the use of the data is given on this page. See also pt #1 concerning informed consent.

6. The right to update and correct information

This ensures that individuals may at any time update information that is outdated, incomplete or incorrect.

Registered users may at any time update the contact person personal data by editing the user data.

7. The right to restriction of processing

Individuals may request that their data no longer be used actively by the business. Information may still be stored but it must no longer be used.

As long as personal data are stored as a part of the user data, this will be used in the job tickets created. To avoid the use of personal data in the job tickets, the user has to delete all personal data from the stored user data, or delete it on a time-by-time basis when sending ads.

8. The right to deny use of personal data for marketing purposes

The individual has such a right, without exception.

NADA does not use personal data in marketing. Period!

9. Data breaches

In case of a data breach that may have consequences for individuals, these have to be informed within 72 hours of the breach.

NADA maintains a list of e-mail addresses for use in such cases.