Data Protection


This policy provides a framework for ensuring that Norsk meets its obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 18). It applies to all the processing of personal data carried out by Norsk including processing carried out by joint controllers, contractors, and processors.

Norsk complies with data protection legislation guided by the six data protection principles.

In summary, they require that personal data is:

  1. - Processed fairly, lawfully and in a transparent manner.

  2. - Used only for limited, specified stated purposes and not used or disclosed in any way incompatible with those purposes.

  3. - Adequate, relevant, and limited to what is necessary.

  4. - Accurate and, where necessary, up to date.

  5. - Not kept for longer than necessary; and

  6. - Kept safe and secure.

In addition, the accountability principle requires us to be able to evidence our compliance with the above six principles and make sure that we do not put individuals at risk because of processing their personal data.

Failure to do so, can result in breach of legislation, reputational damage, or financial implications due to fines. To meet our obligations, we put in place appropriate and effective measures to make sure we comply with data protection law.


The UK GDPR definition of "personal data" includes any information relating to an identified or identifiable natural living person.

Pseudonymised personal data is covered by the legislation, however anonymised data is not regulated by the UK GDPR or DPA 18, providing the anonymisation has not been done in a reversible way.

Some personal data is more sensitive and is afforded more protection, this is information related to:

  1. - Race or ethnic origin;

  2. - Political opinions;

  3. - Religious or philosophical beliefs;

  4. - Trade union membership;

  5. - Genetic data;

  6. - Biometric ID data;

  7. - Health data;

  8. - Sexual life and/or sexual orientation; and

  9. - Criminal data ( convections and offences)


Norsk is committed to transparent, lawful, and fair proportionate processing of personal data. This includes all personal data we process about customers, staff or those who work or interact with us.

  1. - Privacy Policy - We publish a privacy policy on our website and provide timely notices where this is required.

  2. - Training - We require all staff to undertake mandatory training on information UK GDPR Awareness which they re-take every year.

  3. - Breaches - We consider personal data breach incidents and have a reporting mechanism that is communicated to all staff. We assess whether we need to report breaches to ICO as the Regulator of DPA. We take appropriate action to make data subjects aware if needed.

  4. - Information Rights - We have a dedicated team and clear processes to handle subject access requests and other information rights requests.

  5. - Policies and Procedures - We produce policies and guidance on information management and compliance that we communicate to staff.

  6. - Communications - We have a clear communication plan which seeks to embed a culture of privacy and risk orientation.

  7. - Contracts - Our Commercial legal department oversee that our contracts are compliant with UK GDPR.


We have an established Compliance team that ensures the risk to personal data across Norsk is identified and appropriately managed.

This team’s detailed roles and responsibilities comprises:

  1. 1. Data Protection Officer (DPO)
    Norsk Data Protection Officer (DPO) is primarily responsible for advising on and assessing our compliance with the DPA and UK GDPR and making recommendations to improve compliance. Norsk DPO is Gary Bartoletti.

  2. 2. Chief Technology Officer (CTO)
    Norsk Chief Technology Officer is primarily responsible for communicating corporate information management standards and procedures. Also advises on compliance with data protection and implement IT solutions to ensure we take privacy by design approach. Norsk CTO is Nick Andrews.

  3. 3. Other roles
    Specific roles are assigned throughout our senior team to manage personal data we process and the associated risks in terms of responsibilities, decision making and monitoring compliance.


Compliance with this policy will be monitored via the DPO.


Personal data: any information relating to an identifiable living individual who can be identified from that data or from that data and other data.

This includes not just being identified by name but also by any other identifier such as ID number, location data or online identifier, or being singled out by any factors specific to the physical, physiological, genetic, mental, cultural, or social identity of the individual.

Processing: anything that is done with personal data, including collection, storage, use, disclosure, and deletion.

Special category personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual's sex life or sexual orientation.

Controller: the organisation (or individual) which, either alone or jointly with another organisation (or individual) decides why and how to process personal data. The Controller is responsible for compliance with the DPA and GDPR.

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.


Name: Norsk European Wholesale Ltd
Address: 2 Willow Road, Colnbrook, Berkshire, SL3 0BS
Tel: +44 (0)1753 800 800


This is to reference that some information in this policy has been sourced from the Information Commissioner's Office Website, Data Protection Policy September 2021 v1.0, licensed under the Open Government Licence

By continuing to use our website, you are giving consent to cookies being used. We use cookies to enhance your user experience.
Learn more about our policies here: Terms & Conditions | Privacy Policy | Data Protection