Privacy Notice Audit and Investigation
This privacy notice provides information about processing of personal data as part of Telenor Group Internal Audit and Investigation (hereafter GIAI) when conducting an internal audit or investigation. Telenor ASA will be the controller for processing of personal data for audits and investigations conducted throughout the Telenor Group.
Categories of personal data processed
Based on the actual case we will process personal data relevant to investigate the case properly. We limit the data to what is necessary and this will be assessed on a case-by-case basis. The following personal data can be processed by us when conducting an audit or investigation:
Data related to the employee or third party: Contact data, work-related information and employment records, knowledge and competencies, training completion
Financial data and procurement information
Communication data
Data related to specific events or situations
Log data from systems, applications, cloud and local storage and our office premises and warehouses, including CCTV-recordings
Information provided by the reporter
Open internal information
Forensics data (such as content from emails being part of the investigation)
Sales related documents, logs and data
Telco related logs and data
Police report register
Vehicles related information, documents, logs and data
Gift register data
Vendor related information
Telenor does not systematically process special categories of data, but from time to time such of data may be processed due to the nature of the case. This could be personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Purpose of processing
We are processing your personal data for the following purposes:
Provide independent assurance that Telenor Group companies are operating effectively
Investigate actual or suspected misconduct in Telenor Group companies or by our partners or vendors
Legal basis for processing
The processing is based on the following legal basis:
The processing of personal data in relation to investigations is necessary in compliance to the Norwegian Working Environment Act and relevant similar legislation in other Nordic countries where applicable.
Telenor’s legitimate interest to:
Ensure compliance with relevant laws and regulations as well as our Code of Conduct
Protect our assets and our information
Maintain a robust internal control system
For processing of special categories of data, the exception set out in GDPR article 9.2 (b) applies.
Storage Period
Telenor will in line with applicable regulations and internal procedures, store personal data as long as necessary to fulfil the purpose of the processing in question. Based on the categorisation of the case, as well as legal obligations to store the data, your data will be stored between two to five years. Due to the sensitive nature of audits and investigation, some personal data might be stored up to 10 years after the conduction of the audit or the investigation to the extend necessary to protect against possible legal claims and new misconduct.
With whom do we share your personal data
To fulfil the purposes of the processing, we engage the following third parties:
Relevant government agencies, such as the police
Other Telenor Group companies when relevant for the specific case
Consultant companies
Software providers and service providers to conduct the investigations
Transfer
If personal data is transferred to or accessed from countries outside the EU/EEA, Telenor is obligated to ensure that your personal data have the same level of privacy protection as provided by the GDPR. To ensure a sufficient level of protection for transfers of personal data, Telenor will make sure that transfers are based on a valid transfer basis and that Transfer Impact Assessments (TIA) are carried out when needed. With transfers out of the EU/EEA area, Telenor will follow the Standard Contractual Clauses developed by the EU Commission, unless (i) the personal data is transferred to a country included on the EU Commission’s list of third countries which has an equivalent level of privacy protections as within EU/EES, or (ii) the personal data is transferred to a company certified under the EU-US Data Privacy Framework.
Your rights
You have the following rights when we are processing your data:
Right to information
Right to access personal data
Right to rectification of personal data
Right to erasure of personal data
Right to restriction of processing of personal data
Right to object to the processing of personal data
Right to data portability
Right to withdraw your consent if our processing is based on this
Note that these rights may be limited, depending on the concrete circumstances, as legally mandated.
You may also lodge a complaint about our processing of information about you to your local Data Protection Supervisory Authority.
Updates to this Statement
This Privacy Statement was last updated on 29.06.2026.
Contact details of the data controller:
Telenor ASA
Snarøyveien 30, 1360 Fornebu
If you have any question or comments about how we are processing your personal data, please contact us on this email: webmaster@telenor.com
Please note: You may use the contact information above for privacy related enquiries only. All other enquiries will be ignored.