Privacy Policy

Privacy statement for Lily Hospitality Group AS (LILY)

When you are in contact with LILY (hereinafter referred to as “we” or “us”) it may be necessary for us to process personal data about you. We care about your privacy and take this seriously. We have therefore prepared this privacy statement to provide you with information on how we handle your personal data
and your rights.

Who is the controller?
LILY is the controller and thus responsible for the personal data that is processed when you are in contact with us.

Our contact information:
Lily Hospitality Group AS
Business registration no.: 991 304 673
Address: Oksenøyveien 10, 1366 Lysaker, Norway
E-mail: post@lilyhospitality.com

LILY consists of multiple business areas. Each of these business areas may have websites and services that necessitate further specification beyond that which emerges in this privacy statement. In such cases, specific privacy statement will come in addition to this privacy statement. Where this is relevant, you will be informed.

Our processing of personal data
Which personal data we collect, the purpose, and the legal basis for such processing depend on our relationship to you and your contact with us. An overview of our processing in the various situations is found below.

We do not undertake profiling or fully automated processing of your personal data.

If you contact us
When you contact us, for example in relation to media, through our website or in other ways, we will process personal data about you. 

The personal data we collect about you will typically be contact information such as your name, email address and other information you wish to share with us and which is regarded as being necessary to respond to your inquiry.

Our legitimate interest is the basis for this processing. The legitimate interest is our need to be able to respond to your inquiry.

Our business activity
It may be necessary for us to process personal data about you if you are employed with one of our customers, suppliers or partners, or if we are contacted regarding financing.

The personal data we process in this context will most often be contact information such as your name, email address and telephone number, as well as information about your employer and your position.
Furthermore, we will process other information which you provide to us, or which emerges from our contact with you, to the degree deemed necessary for the specific process.

The basis for this processing of personal data is our legitimate interest in being able to perform tasks linked to our business activity, including for example enabling a cooperation with your employer.

Legal obligations
We are required by law to process personal data in certain cases, including in connection with documenting compliance with obligations in relation to tax, accounting or legal processes. In this connection, it may be necessary to process personal data about you. This could, for example, be necessary if your name is listed on an invoice or contract subject to retention obligations.

The legal basis for such processing is the legal obligation to which we are subject.
The information will be deleted when the purpose of the processing is fulfilled, such as for example where the reporting obligation is fulfilled or we are no longer required to retain the information.

Due diligence
In connection with our business activity, we may perform a due diligence process (company review) of other companies (business partners). This work will include obtaining personal statements, non-disclosure agreements and background checks and security assessments of employees in the relevant company.

Personal data such as name, gender, position and information available to the general public which we deem necessary for the company review.

The legal basis for our processing of personal data in a due diligence process is our legitimate interest in verifying our business partners, and maintaining the necessary levels of quality and security in our processes, services, deliveries and premises.

If the necessary processing is of such a character that it cannot be warranted by our legitimate interest, we will obtain your consent.

In connection with job applications
When you apply for a job with us, we will typically collect your CV and application text, and thus information about previous employment, length, position category, percentage (full-time/part-time), area of responsibility and other information you wish to share in your job application, or which otherwise emerges during the application process.

Our basis for processing personal data about you in an application process, is that this is necessary in order for us to enter into a potential agreement with you concerning a permanent or temporary position.

As regards candidates who are not hired, the CV and application will be deleted when a person is employed in the position for which you applied. If we wish to retain your CV and application, we will specifically request your consent for this, and these documents will then be stored in our internal
archive systems for assessment in relation to other relevant positions that may be of interest at a later date. Your personal data will be stored for up to 3 years, if you want your application to be available in our archive system.

When you register to receive our newsletter
When you register to receive our newsletters we will register your email address so that we can send you the newsletters.

The purpose of this process is so that we can send you the newsletters, or other information you have requested/signed up to receive. The basis for this processing is the consent you give when you sign up to receive the newsletters.

You can revoke your consent at any time by following the procedure described at the bottom of all our newsletters. When you revoke your consent, we will remove you from the list of recipients.

When you make a booking with us or participate in our events
If you make a booking or sign up for any of our events, we can register personal data such as your name, contact information and, if you so desire, preferences related to implementation, food and beverage, travel and accommodation.

The basis for processing this information is that it is necessary in order to fulfil a potential agreement with you. If we deem it necessary to obtain personal data about you that is covered under a “special
category” of personal data (e.g. information about allergies), we will request your consent for this.

The information will be deleted after your stay or the event is completed, unless we have some other legal basis for retaining the information longer.

Sharing personal data
Data processors
In certain cases, it is necessary for us to share your personal data with our data processors. These are typically our service providers within operations, security, maintenance and IT that provide technical solutions such as storage services.

To safeguard your rights, we have entered into data processing agreements with all our data processors, which e.g. entails that your personal data cannot be used for any other purpose than what we have agreed with you.

Our use of data processors may entail that your personal data will be transferred to data processors located in countries outside the EU/EEA. This means that personal data may be transferred to a country with regulations that do not provide the same degree of protection of personal data as the rules in Norway. In order to ensure your privacy, such transfers will only take place in accordance with the prevailing data protection legislation, for example via contractual systems approved under applicable data protection legislation, including the EU’s General Data Protection Regulation (GDPR).

Other third parties
We do not pass on your personal data to others unless there is a lawful basis for such disclosure of data.
Examples of such a basis will typically be your consent or a legal basis that gives us the right to, or obligates us, to disclose the information.

Disclosure of personal data may entail that your personal data is transferred to third parties located in countries outside the EU/EEA. In order to ensure your privacy, such transfers will only take place in accordance with the applicable data protection legislation.

Other LILY companies
We cooperate with other LILY companies and it may be necessary to share personal data with these companies from time to time. This could be necessary in order to respond to your inquiry, because we cooperate to deliver a service, or because we share IT systems.

In cases where the other LILY company acts as our data processor, we will process your personal data as described above under “data processors”, and where other LILY companies act as the party responsible for processing, the item under “other third parties” will be followed.

Securing our IT solutions
Our IT solutions are made up of systems in our own data centre, as well as in cloud solutions.

The information is secured using physical, technical and administrative methods and measures, such as protection of infrastructure and office buildings, technical facilities and stipulating requirements for our personnel and subcontractors, including security measures prescribed in GDPR.

Deleting personal data
We comply with the applicable Personal Data Act, including the rules relating to deleting personal data. This means that we delete your personal data when it is no longer necessary to store this data to fulfil the purpose for which the personal data was collected.

This means that if the processing, for example, is based on your consent, we will delete the personal data if you revoke your consent, unless there is some other valid basis for continuing to process the personal data.

For example, we will also delete your personal data when we have answered your inquiry, or we are informed that the cooperation with your employer has ceased.

If our legitimate interest in processing your personal data has lapsed, for example if we are informed that you are no longer employed with our partner, we will delete your personal data.

If a statutory storage obligation exists, the personal data will be deleted when this storage obligation ceases.

Your rights
With certain reservations, you have the right to demand access, correction or deletion of the personal data we process concerning you. You also have the right to demand restricted processing, lodge an objection against the processing and the right to demand data portability if certain conditions are fulfilled.

If our basis for processing rests on your consent, consent is voluntary and you can revoke such consent at any time.

You can read more about what your rights entail and when they apply, see the (Norwegian) Data Protection Authority’s website: www.datatilsynet.no.

Note that demands for deletion of data may be restricted due to our statutory obligations, for example as a consequence of the Accounting Act and the Bookkeeping Act, or if this can come at the expense of other persons’ rights to privacy.

If you wish to assert one or more of your rights, contact us as described below under “contact information”.

Appeal concerning processing of information
If you believe that we are processing information unlawfully, you have the right to appeal to the Data Protection Authority. We hope that you will contact us first, so that we can assess your objections and clear up any misunderstandings.

Visiting www.lilyhospitality.no and cookies
We use cookies on our website www.lilyhospitality.no. These are small text files stored on your device when you open our website. The cookies are used to receive information about the traffic and user
pattern on our website in order to improve the website and adjust it to our users.

The personal data collected through the cookies is, among others, IP address, the type of browser used, the date and time of the visit. The information is not used to identify the user.

The information collected through Google Analytics is stored on Googles server in the US. Google is regarded as a data processor and has joined the Privacy Shield.

Use of cookies requires your consent. As a user of our website you will be asked whether you accept the use of cookies. If you accept the use of cookies the services mentioned above will be used. If you reject the use of cookies you will not be asked again for an entire year.

You can at any time change your cookie settings in your browser if you do not wish to accept the use of cookies. You can find a list containing details for disabling or blocking cookies in your web browser.

Contact information
Feel free to contact us if you have questions, comments or if you wish to exercise your rights or complain regarding how we process your information.
You can use the following contact information:
Contact: post@lilyhospitality.com
You can also contact the Data Protection Authority, see www.datatilsynet.no.

Changes in the privacy statement

We may update the privacy statement from time to time if, for example, we change our guidelines, or in connection with changes in legislation. You can always find the latest version of our privacy statement on our website, www.lilyhospitality.no