Jump to main content

Personal data is all information that can be used to identify you. Below, you will find more information about how Skyss processes personal data and about your rights in relation to Skyss.

Purpose

The purpose of Skyss’s processing of personal data in the Skyss WebShop is to offer you as a customer an easy and secure way of buying ticket products, to create the correct conditions for efficient customer follow-up and to ensure that our inspectors can verify that you have a valid ticket.

Grounds for processing personal data

Skyss’s processing of your personal data requires a legal basis for the processing.

Processing of your personal data is necessary to meet the service agreement entered into between you and Skyss when you use Skyss WebShop and accept the terms and conditions of use, cf. the General Data Protection Regulation Article 6. 1b).

Using the Skyss WebShop is voluntary, and if you don't enter personal data in your profile, anonymous.

What personal data does Skyss process?

When you use the Skyss WebShop, the following personal data will be processed:

Email address

When signing up to use Skyss WebShop an email-address will be obtained from your method of login. Email addresses are only used to authenticate you, no information will ever be sent to the email you use for login.

Travelcard (Skysskortet)

Documentation of sale

All sales documentation is kept in accordance with the Bookkeeping Act. Travel information contained in your ticket purchase is only retrieved as personal data when initiated by you, for example in the event of a complaint or other enquiries that make it necessary to examine a specific purchase in more detail.

Information on method of payment

Bank cards: In order to pay with a bank card, there is an interface linked to a payment service that enables you to register a bank card via the Skyss Ticket app without storing your full bank account details in the app. If you choose to save one or more payment cards in your profile, it is nonetheless only the payment service that will have your full bank card details. The app only saves the first six and last four digits of the card number and the expiry date. This is required in order for customers to recognise the cards they have entered and to generate the necessary details that should be included on a receipt, as well as to efficiently maintain any right a customer may have to a refund.

Technical information

When you use Skyss WebShop, your IP address, the time of the enquiry, information on the browser and the version number including choice of language, are logged in the application log. This information is required for the solution to work on the given platform, and is logged to ensure that the service functions as it should. This provides us with the necessary information to resolve issues if any errors occur.

No forms of analysis tools are used (e.g. Google Analytics) that map and log the usage patterns of identifiable users. The only related functionality is crash reporting via HockeyApp that provides fully anonymised crash reports and is an aid for ensuring quick rectification of errors if the application crashes.

Cookies

To use the Skyss WebShop, your browser must accept cookies. Cookies are small text files that are placed on your computer when you download a website and are necessary for login, navigation and functions on the website to work smoothly. Please note that data that can be used to identify you is never stored through the use of cookies. It is possible to change the settings on your browser to prevent the website from using cookies. If you choose to de-activate cookies, you will encounter problems with being logged out. This is because the cookies are used to keep you logged in until you actively log out, or if you have been inactive for too long.

Statistics

Data used in statistics and analyses are in de-identified form and thereby cannot be linked to you. Skyss is obliged to submit traffic figures to the central and municipal authorities, cf. the Statistics Act Section 2-2 and the Local Government Act Section 49. Statistics are also used to improve and further develop the services we offer our customers. Examples of what statistics tell us are how many people travel between which zones, the number of purchases per ticket category and how many people purchase tickets via the webshop. Skyss collects information from the ticket purchases carried out via Skyss Webshop. Travel information contained in your ticket purchase is not used together with personal data to produce statistics.

Sources of personal data

All personal data processed in connection with Skyss WebShop are entered or generated by you. Skyss does not obtain personal data from third parties.

The Processor

Skyss WebShop is provided by WTW AS (the processor). WTW processes your personal data on behalf of Skyss and this is regulated in a separate data processing agreement. The data processing agreement ensures that WTW processes all personal data in accordance with this data protection declaration.

Ticket inspections are conducted by Securitas on behalf of Skyss. A separate data processing agreement has been entered into with Securitas.

Disclosure to third parties

The personal information that is required to register and carry out the payment, may be disclosed to the provider of the chosen payment alternative. Skyss does not disclose your personal data to any third parties, other than those mentioned in this declaration, unless there are legal grounds for such disclosure, for example a ruling or written order from the prosecuting authorities.

Anonymised travel history can be used for statistical purposes. Anonymised data is not considered personal data, and can therefore be submitted to third parties.

Access to personal data

The personal data processed will only be available to authorised personnel with an official need at Skyss and our sub-contractors, including Securitas, payment services, WTW AS and operating contractors.

Storage and erasure

All data are stored in Norway in WTW’s server centre. The servers are operated by personnel in Norway. All data stored in the back-end system are stored in accordance with applicable legislation. Your personal data will not be stored for longer than necessary to achieve the communication purpose for which the application is used.

Both Skyss and WTW AS have implemented data security measures and internal procedures to verify that no personal data fall into the wrong hands or are used for other purposes than those described in this data protection declaration.

Profile information

Your profile information is stored as long as you as a customer have an active contractual relationship with Skyss. You have the right at all times to request that your user account be deleted from the Skyss Webshop, you can also yourself delete your account. You will then have to register again if you wish to use the webshop at a later date. If you have entered other personal data in Skyss WebShop, you can edit these data at all times in your profile in the webshop.

Transaction history and sales documentation

All sales documentation is stored for five years after the end of the accounting year, cf. the Bookkeeping Act Section 13 with pertaining regulations. The receipts for your last purchases will be available at all times in the Skyss Ticket app. In accordance with the requirements of the payment services, Skyss is obliged to give you access to sales documentation for all purchases made via the webshop over the past 20 months. After 20 months, the sales documentation is archived and anonymised.

Technical information and the application log

Different parts of the application log are stored for a sufficient period to ensure that the service works as it should and that you as a customer receive the service you are entitled to. For example, in the event of complaints based on faults in the service, the storage period for relevant application logs can be extended to allow the necessary period for considering the complaint.

Security

All communication between the solution and your browser is encrypted. All access to the system via the internet is encrypted. All internal data transfer between different components in the system is encrypted. Access to retrieve data can only take place via API, which is encrypted and secured by access keys. Access to data via Skyss’s interface is role-controlled and personal with an incident log for traceability. The administration interface for the solution is designed with different levels of access so that only persons with a prescribed need at Skyss or WTW are given access to the amount of data relevant to their needs.

Your rights in relation to Skyss

You can access, correct and erase all personal data that you yourself have entered in your user profile for Skyss Ticket via the settings in the application.

Right of access

You may request access to the personal data that Skyss processes about you.

Right to correct

You may request that incorrect or incomplete personal data be corrected or supplemented.

Right of erasure

You may request that Skyss erases your personal data if the terms for this are met, for instance if Skyss has processed your personal data in an unlawful way or for longer than necessary.

Right of limited processing

You may request that the processing of your personal data be limited if you contest the accuracy of the personal data, the legality or necessity of the processing or if you have objected to the processing and Skyss has accepted your objection.

The processing will be limited from the time the objection is submitted and during the period of time it takes Skyss to assess the objection. If the processing shall be limited, Skyss is only allowed to store the limited personal data, and any other processing can only happen with your consent. This applies unless Skyss is required to process personal data in connection with judicial matters, to protect the rights of others, or if the processing is of public interest.

Right to object

You may object to the processing of your personal data if you believe Skyss does not have the right to process your personal data. In such cases, Skyss may only continue processing the data if Skyss can substantiate a justifiable interest that carries more weight than your interests, rights or liberties. The personal data may in any case be processed if Skyss is legally obligated to do so or if processing is necessary in order to establish, assert or defend a legal claim.

Right of data portability

You may request that the personal data you have submitted to Skyss for processing based on your consent or to meet a contract to which you are bound be sent to you in a structured, ordinary or machine readable format. You also have the right to request that Skyss transfer such information to another controller.

Right to complain to the Norwegian Data Protection Authority

You can complain to the Norwegian Data Protection Authority if you are dissatisfied with Skyss’s reply or believe that Skyss is processing your personal data in breach of the applicable data protection regulations. Information on the complaint procedure is available here.

Contact information

If you have any questions relating to Skyss’s processing of your personal data or you would like to access, correct, erase or request limited processing or data portability, please use the contact form here.

Published:

Updated: