This privacy notice provides information about processing of personal data as part of Telenor Group Internal Audit and Investigation (hereafter GIAI) when conducting an internal audit or investigation. Telenor ASA will be the controller for processing of personal data for audits and investigations conducted throughout the Telenor Group.

Categories of personal data processed

Based on the actual case we will process personal data relevant to investigate the case properly. We limit the data to what is necessary and this will be assessed on a case-by-case basis. The following personal data can be processed by us when conducting an audit or investigation:

  • Data related to the employee or third party: Contact data, work-related information and employment records, knowledge and competencies, training completion

  • Financial data and procurement information

  • Communication data

  • Data related to specific events or situations

  • Log data from systems, applications, cloud and local storage and our office premises and warehouses, including CCTV-recordings

  • Information provided by the reporter

  • Open internal information

  • Forensics data (such as content from emails being part of the investigation)

  • Sales related documents, logs and data

  • Telco related logs and data

  • Police report register

  • Vehicles related information, documents, logs and data

  • Gift register data

  • Vendor related information

Telenor does not systematically process special categories of data, but from time to time such of data may be processed due to the nature of the case. This could be personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Purpose of processing

We are processing your personal data for the following purposes:

  • Provide independent assurance that Telenor Group companies are operating effectively

  • Investigate actual or suspected misconduct in Telenor Group companies or by our partners or vendors

Legal basis for processing

The processing is based on the following legal basis:

  • The processing of personal data in relation to investigations is necessary in compliance to the Norwegian Working Environment Act and relevant similar legislation in other Nordic countries where applicable.

  • Telenor’s legitimate interest to:

    • Ensure compliance with relevant laws and regulations as well as our Code of Conduct

    • Protect our assets and our information

    • Maintain a robust internal control system

For processing of special categories of data, the exception set out in GDPR article 9.2 (b) applies.

Storage Period

Telenor will in line with applicable regulations and internal procedures, store personal data as long as necessary to fulfil the purpose of the processing in question. Based on the categorisation of the case, as well as legal obligations to store the data, your data will be stored between two to five years. Due to the sensitive nature of audits and investigation, some personal data might be stored up to 10 years after the conduction of the audit or the investigation to the extend necessary to protect against possible legal claims and new misconduct.

With whom do we share your personal data

To fulfil the purposes of the processing, we engage the following third parties:

  • Relevant government agencies, such as the police

  • Other Telenor Group companies when relevant for the specific case

  • Consultant companies

  • Software providers and service providers to conduct the investigations

Transfer

If personal data is transferred to or accessed from countries outside the EU/EEA, Telenor is obligated to ensure that your personal data have the same level of privacy protection as provided by the GDPR. To ensure a sufficient level of protection for transfers of personal data, Telenor will make sure that transfers are based on a valid transfer basis and that Transfer Impact Assessments (TIA) are carried out when needed. With transfers out of the EU/EEA area, Telenor will follow the Standard Contractual Clauses developed by the EU Commission, unless (i) the personal data is transferred to a country included on the EU Commission’s list of third countries which has an equivalent level of privacy protections as within EU/EES, or (ii) the personal data is transferred to a company certified under the EU-US Data Privacy Framework.

Your rights

You have the following rights when we are processing your data:

  • Right to information

  • Right to access personal data

  • Right to rectification of personal data

  • Right to erasure of personal data

  • Right to restriction of processing of personal data

  • Right to object to the processing of personal data

  • Right to data portability

  • Right to withdraw your consent if our processing is based on this

Note that these rights may be limited, depending on the concrete circumstances, as legally mandated.

You may also lodge a complaint about our processing of information about you to your local Data Protection Supervisory Authority.

Updates to this Statement

This Privacy Statement was last updated on 29.06.2026.

Contact details of the data controller:

Telenor ASA
Snarøyveien 30, 1360 Fornebu

If you have any question or comments about how we are processing your personal data, please contact us on this email: webmaster@telenor.com

Please note: You may use the contact information above for privacy related enquiries only. All other enquiries will be ignored.