Privacy Statement

Table of contents

About the Privacy Statement

In this privacy statement, you can read about how the Norwegian Customs processes personal data to contribute to the protection of privacy and to facilitate an effective solution to the Norwegian Customs’ societal mission, which is to ensure compliance with laws and regulations for cross-border movement of goods. You can also learn about your rights when you are registered in the Norwegian Customs’ systems and registers.

What is personal data?

Personal data means any information relating to a natural person. The key factor in determining whether information is personal information is whether the information can directly or indirectly identify a specific person, such as a name, address, phone number, email address, or IP address, as well as a photo or vehicle registration number.

Why the Norwegian Customs process personal data

The Norwegian Customs has various obligations in society as stipulated by laws regulating the activities of the Norwegian Customs. To fulfill its purposes, the Norwegian Customs is authorized to collect information about individuals, businesses, and affected parties. This information is obtained from those in contact with the Norwegian Customs, from the customs itself, and from public registers and collaborative partners.

We shall not collect more information about you than necessary, and the information gathered shall only be used for the purpose for which it was collected unless we have a legal basis to use it for other purposes.

Tasks of the Norwegian Customs according to customs legislation

• Ensure accurate and complete information on goods imported and exported, as a basis for calculation of duties and for use in mapping and statistics
• Aid in protecting society from illegal import and export of goods by ensuring compliance with restrictions imposed in consideration of, inter alia, public safety, protection of human life and health, animal welfare, plant conservation and environmental protection.
• Ensure that Norway fulfils its obligations under international treaties on cross-border movement of goods.
• Collaborate with other authorities and organizations both nationally and internationally in tasks related to the Customs Agency's field of operation in accordance with rules prescribed by law or regulations.
• Perform tasks on behalf of other public authorities and collaborators, including the import and export of goods when the Norwegian Customs assists other authorities in controlling their regulations. We verify compliance with regulations on behalf of entities such as the Food Safety Authority, Agriculture Administration, Medicines Agency, and the Tax Administration. This includes legislation related to taxes and duties, food and commodities, narcotics, alcohol, tobacco, medicines, weapons, hazardous substances, animals, environment, waste, and intellectual property rights. In these areas, we also cooperate with customs authorities in other countries.
• We also process personal information in cases where other public authorities depend on information from the Norwegian Customs to carry out their legally mandated tasks in a safe and responsible manner. For example, the Norwegian Customs is obligated to provide information from customs declarations to Statistics Norway for the preparation of trade statistics and to the Tax Administration for the calculation and collection of duties. We also process personal information to assess whether goods to be imported into the EU/EEA pose a threat to security and safety, public health, the environment, or consumers.

Administrative tasks, case processing, inquiries, and administrative responsibilities.

• Case processing
• Guidance for residents and businesses
• Job applications or assignments for the Norwegian Customs
• Visitor registration and participation in events
• Camera surveillance at locations to ensure security
• Handling reports from external sources in whistleblowing cases

Legal Basis and examples

About the Legal Basis for the Norwegian Customs’ processing

The regulations governing how the Norwegian Customs can process personal data depend on the tasks the Norwegian Customs is required to perform and the purpose for which the Norwegian Customs processes the information.

The Norwegian Customs’ processing of personal data has its primary legal basis in law and regulations, such as:

• Movement of Goods Act
• Customs Duty Act
• Public Administration Act
• Freedom of Information Act
• “Skatteforvaltningsloven” (act about tax administration)
• “Vegtrafikkloven” (act about road traffic)
• “Legemiddelloven” (act about pharmaceuticals)

For more information, you can read about the Movement of Goods Act and the Customs Duty Act on “Lovdata”.

Norway has mutual assistance agreements in customs matters with several countries and with the EU. Moreover, many of the trade agreements include rules on confidentiality, which also address the relationship with data protection. Through a security agreement with the EU, Norway has committed to contributing to the risk assessment of goods to be imported into the EU/EEA.

In addition, the Norwegian Customs has a legitimate interest in ensuring the safety of employees and the public in connection with travel and control implementation, as well as securing our buildings. Therefore, we have surveillance cameras at customs stations and in our office buildings.

Processing of personal data for the movement of goods

Obligation to notify and provide information upon arrival at the destination in the customs territory, is a process that involves submitting information about the flow of goods and transportation related to the movement of goods to the Norwegian Customs. This information is processed before crossing the border with the purpose of fulfilling the notification and information obligation in accordance with § 2-3 of the Movement of Goods Act and associated regulations. In this context, information about the driver, carrier, customs representative, sender, and recipient, as per the shipping agreement and information provider for the fulfillment of the notification and information obligation, is processed.

The personal information is processed to correctly identify the obligated party for the notification and information obligation. This is necessary, for example, to sanction legal violations (Movement of Goods Act chapter 12). The information is also used to handle border crossings, in accordance with the purpose provision of § 1-1 of the Movement of Goods Act.

With legal basis in Chapter 4 of the Movement of Goods Act and Chapter 6 of the Customs Duty Act, personal data is processed to handle applications for permits and customs exemptions.

§ 8-5 of the Customs Duty Act provides the legal basis for compiling collected personal data, including health data as mentioned in GDPR article 9(1) and personal data as mentioned in GDPR article 10, when necessary for control of customs duties.

Processing of personal data for carrying out control of the movement of goods

Chapter 8 of the Movement of Goods Act contains rules regarding the customs authorities’ collection of information during control, both during inspections of goods entering or leaving the customs territory and during inspections of documents.

The Norwegian Customs have a specific legal basis for collecting and storing information about cross-border traffic on roads and ferry terminals with international traffic, as outlined in § 8-9 of the Movement of Goods Act. We also have the authority to collect information about passengers, as specified in § 8-8.

We are allowed to compile collected personal information and make decisions solely based on automated processing when necessary for the control of the import and export of goods, including intelligence. The control information we gather is compared with information previously collected about goods and similar items in accordance with the rules in the Movement of Goods Act, chapters 2 to 5. The degree of personal identification shall not exceed what is necessary for the intended purpose.

Processing of personal data in connection with administrative tasks

Processing of personal data about employees and others performing tasks for the Norwegian Customs

The Customs Agency processes personal information about those who work for or in the Customs Agency, in accordance with the GDPR Article 6(1)(b) to fulfill the employment contract and Article 6(1)(f) when the processing is necessary for purposes related to our legitimate interests when we do not act as a public authority.

Processing of personal data about job applicants

When job applicants apply for a position in the Norwegian Customs, our legal basis for processing personal data is GDPR Article 6(1)(b).

For applicants who disclose having a disability, gaps in their CV, or an immigrant background, the legal basis is GDPR Article 6(1)(c), stating that the processing is necessary to comply with a legal obligation, and Article 9(2)(b), indicating that the processing is necessary for us to fulfill our obligations in the field of labor law in accordance with the law, which is the legal basis for processing the information.

A SEMAC background check is used for those who are offered a position in the Norwegian Customs, with the legal basis being GDPR Article 6(1)(f), legitimate interest.

Processing of information in connection with procurement

The legal basis for processing personal information in connection with procurement is GDPR Article 6(1)(c), legal obligation. The legal obligation follows from the regulations for public procurement.

In connection with the follow-up of agreements, deliveries and invoicing, the legal basis is GDPR Article 6(1)(b), contract.

Processing of personal data in case handling and guidance

When the Norwegian Customs has cases to process, such as handling appeals against decisions, we process personal information to fulfill our tasks. The legal basis for this processing is GDPR Article 6(1)(e), which allows us to process information necessary for the exercise of official authority, also referred to in the Public Administration Act §§ 17 and 11.

Processing of personal data in chat and chatbot:

Information about you is processed with the legal basis of your consent, which you provide if you use the chatbot.

• The questions you ask in the chatbot are stored for 30 days.
• The dialogue with answers and choices is not stored.
• All numbers in the chatbot are anonymized. This means that if, for example, you enter a social security number, it will be deleted in the chatbot.

Activity Logs

In relation to the use and management of activity logs about users (employees and contractors), personal data about other categories of registered individuals may also be included. The personal data was originally collected based on the control authorities in the Movement of Goods Act, and the Customs Duty Act. When using and managing activity logs, the same personal data is processed as a measure to ensure that the Norwegian Customs can prevent and detect unauthorized use without official needs that provide access to personal data. The personal data is further processed to protect the privacy of the registered individuals. This is thus a processing compatible with the purposes for which the personal information was originally collected, cf. GDPR Article 6(4).

In addition to internal users, activity logs capture the activity of two groups of external users who have access to our IT systems:

• Users from the business sector who use the Norwegian Customs’ IT systems to comply with regulatory obligations.
• Users from other public entities who use the IT systems as part of their business operations.

The legal basis for this logging is Article 6(1)(f) "legitimate interest," justified by the Norwegian Customs’ need to safeguard information security, including integrity, availability, and confidentiality.

Processing of personal data

What personal data can the Norwegian Customs process?

The specific personal data needed depends on the task the Norwegian Customs is handling. The Norwegian Customs processes personal data, including but not limited to:

• Identity information (name, date of birth, gender, citizenship) and contact information (postal address, residential address, email address, phone number) and relationships to others (spouse, children, cohabitant, etc.).
• Information from the movement of goods (sender and receiver of goods, value of goods, description of goods, information about goods requiring special permission, e.g., permission to import weapons or carry medicines).
• Information necessary for planning, targeting, and conducting controls (prior violations of customs laws, economic transactions conducted abroad as indicated in the currency register, traffic and behavioral patterns, names and contact information, information about import and export of goods, means of transport, and finances).
• Information about cross-border traffic on roads and ferry terminals (vehicle registration number, vehicle direction, time and location of passage, vehicle owner).
• Images of individuals, vehicle registration numbers, travel patterns, and carried goods, may appear in camera surveillance at customs stations.
• Images of passersby and visitors, along with time and location, may be captured by camera surveillance in our office buildings.

How does the Norwegian Customs obtain personal data?

The Norwegian Customs obtains information from various sources. Here are some examples:

• Information from importers/exporters/transporters/forwarders: When goods are imported or exported, information must be provided to the Norwegian Customs during border crossings and customs processing. This applies to both individuals who have purchased goods from abroad and businesses engaged in commercial import, export, or transportation of goods in and out of the country.
• Information from other public registers, such as the population register and currency register (Norwegian Tax Administration), vehicle register (Norwegian Public Roads Administration), and the Brønnøysund Register Centre.
• Customs authorities in other countries with which we have agreements.
• EU's Common Import Control System (ICS2 Common Repository), Movement of Goods Regulations § 2-1-1.
• NCTS (an electronic system for exchanging transit information between businesses and the Norwegian Customs, and for pre-notification of goods directly to and from third countries) and other international registries such as the EU Business Register, and EU systems for origin, such as REX (Registered Exporter System), food, and market surveillance systems such as RAPEX (Rapid Alert System for Dangerous Goods) and TRACES (Trade Control and Expert System), among others.
• Tips and alerts from the public.
• Information obtained through control activities carried out by the Norwegian Customs itself or other public authorities.
• Information from publicly available sources, such as open websites.
• Information about cross-border traffic on roads and ferry terminals from our license plate recognition system (ANPR).
• Passenger information from transport companies.
• Surveillance camera footage at customs stations.
• Surveillance camera footage in our office buildings.

Where does the Norwegian Customs process personal data?

Personal data is processed in various registers and systems of the Norwegian Customs, such as:

• The declaration processing system TVINN
• The customer register of the Norwegian Customs
• Our archive and case handling system Public360
• Our intelligence and analysis systems.

Reports are processed according to guidelines from the Norwegian Labor Inspection Authority

When necessary for the work of planning, targeting, and conducting control activities, the Norwegian Customs also compiles and analyzes personal data from various sources and information systems that we have access to.

Who has access, and how does the Norwegian Customs safeguard the information?

Employees of the Norwegian Customs process your personal data only when necessary for the customs to perform its tasks.

Our IT systems are access-controlled based on the principle that each employee should have a work-related need for access to the stored information, and we protect the information in our IT systems through firewalls.

All employees in the Norwegian Customs and entities performing tasks on behalf of the customs are bound by confidentiality regarding financial and income-related matters, as well as other economic, business-related, and personal matters they may access through their work.

We continuously work to ensure that existing IT systems have robust information security and function as intended.

Use of data processors

Some of the personal data for which the Norwegian Customs is responsible is processed by external entities on behalf of us. These external entities are data processors for the Norwegian Customs. When using data processors, agreements are made with them, and we are responsible for verifying that data processors handle the information in accordance with regulations and agreements. Our suppliers cannot use the information for purposes other than those for which it was collected and clarified with us.

Who can the Norwegian Customs disclose personal data to?

The Norwegian Customs only discloses personal data when there is a valid legal basis. This includes, among others, disclosure to:

• Other public authorities, such as the Norwegian Tax Administration, agricultural authorities, the police, or the Norwegian Labour and Welfare Administration (NAV).
• EU control bodies and supervisory authorities when regulated by a regulation or directive incorporated into the EEA Agreement, including the EU's Common Import Control System (ICS2 - Import Control System 2 - Common Repository) and the Customs Agency's electronic transit system (NCTS).
• Foreign customs authorities with whom we have an agreement.
• Research and statistical organizations, such as Statistics Norway (SSB).
• The National Archives under the Archives Act.
• The Norwegian Customs uses external suppliers for the operation and maintenance of our IT services, including case processing/archiving and video conferencing solutions. Infrastructure and data are located within the EU/EEA or countries that achieve an adequate level of protection according to the EU Commission's adequacy decision.
• In certain cases, the Norwegian CUstoms may disclose personal information to data processors located in the United States, provided they are certified participants in the EU-US Data Privacy Framework or utilize Standard Contractual Clauses (SCC) supplemented by adequate protective measures (encryption).

How long can the Norwegian Customs store personal data?

The Norwegian Customs retains your personal data for as long as necessary to perform our legally mandated tasks and in accordance with applicable legislation.

The specific need for storing personal data will depend on the type of information and the tasks we need to accomplish. As a general rule, personal data will be deleted or anonymized when the need for storage ceases, unless we have a legal obligation to retain them under other regulations, such as the Archives Act.

Personal data obtained through the license plate recognition system is specifically regulated in the Movement of Goods Act, which states that this information can be stored for up to 6 months after collection.

The Norwegian Customs receives information and tips about illegal import and export of goods. In such cases, we must verify whether unverified personal data is correct and relevant within 4 months.

Recordings from camera surveillance at customs stations are automatically deleted after 7 days but may be stored for up to 30 days in exceptional cases if it is likely that the recording will be handed over to the police in connection with criminal activities or accidents.

Responsibility for the processing of personal data

Controller

The Director of Customs is the data controller for all processing of personal information that takes place within the Norwegian Customs. This responsibility includes ensuring that personal information is used and processed in accordance with the regulations.

Data Processing Agreements

The Norwegian Customs enters into data processing agreements with all entities that process personal information on our behalf. They are not allowed to process the personal information in ways other than agreed upon with us, and they are bound by confidentiality for the information they access.

Your right

Right to access

You can request more information about how we process your personal data, such as the specific personal data we have registered about you, the purposes for which they are used, where they were obtained from, and whether they have been disclosed to a third party. You can also request a copy of the personal data.

However, in certain cases, we may deny access if it is necessary and the conditions for denial are met, for example, for the purpose of uncovering violations of customs legislation or for the protection of other individuals.

Read more about the right to access | European Comission Site

Right to rectification

You can ask us to correct or supplement information about you that is incorrect or misleading.

Read more about the right to rectification | European Comission Site

Right to erasure

In certain situations, you can ask us to delete information about yourself.

Read more about the right to erasure | European Comission Site

Right to restriction

In some situations, you can also ask us to restrict the processing of data about you.

Read more about the right to restriction | European Comission Site

Right to object

In some cases, you have the right to object to our processing of data about you.

Read more about the right to object | European Comission Site

Right to lodge a complaint

If you believe that the Norwegian Customs is not processing your personal data in accordance with applicable law, you can complain to the Data Protection Authority in Norway.

Contact us

You can contact the Norwegian Customs by using this contact form. For the sake of your privacy, do not send special categories of personal data, such as health information, in this form.

Contact the Data Protection Officer

You can also contact the Norwegian Customs’ data protection officer for advice and guidance on our processing of personal data in general. The data protection officer will be able to help you safeguard your privacy interests, including how to exercise your rights. You can contact the officer at [email protected].