Hydro’s mother company is Norsk Hydro ASA (Norwegian organization No. 914778271). Hydro’s lead data protection authority is the Norwegian Data Protection Authority; Datatilsynet.
Hydro’s Binding Corporate Rules (BCR) for data protection and intragroup transfer of personal data
Hydro has committed itself to a general principle of protecting personal data through the Hydro Code of Conduct, which is available here. To ensure such protection, Hydro has adopted a global procedure for data protection. The Hydro Data Protection Procedure ensures the implementation of consistent and uniform data protection principles within the Hydro Group.
If necessary for the purpose of a specific processing activity, personal data may be transferred between legal entities within the Hydro Group. Each entity will be acting as a Data Controller, either jointly or separately, or as a Data Processor on behalf of other entities, depending on the relevant activity. Hydro’s Data Protection Procedure is approved by European Data Protection Authorities to function as Binding Corporate Rules (BCR). These rules form a basis for safe personal data transfer from Hydro companies established within the European Economic Area (EEA) to Hydro companies established outside the EEA.
A public version of Hydro’s Data Protection Procedure is available here.
When and why we collect and process personal data:
Personal data collected and processed by Hydro when visiting our website will depend on your interactions with the site. However, some basic identifiable information such as your IP address is retained and processed regardless of further interaction. This is done to help us better understand and improve the site’s features and functionality. We may also collect and create aggregated or anonymous data from usage activity on our site for the same reason. These processing activities are considered necessary for the purpose of making the website available and functional for our visitors. Hydro’s legal basis for these processing activities is our legitimate interest.
Additional processing of personal data in relation to your use of and movements on our website is subject to your explicit consent to the use of tracking technologies. Read more about this here.
If you submit information in contact forms or free text fields, provide comments or log into specific sections of the site, Hydro’s subsequent processing of your personal data will depend on the purpose of your activity and your relation to Hydro. This will be further described below.
Communication via our contact forms
On our website you can fill out and submit contact forms for different purposes. When you make use of a contact form, we collect any personal data you provide in the form. Where contact forms include free text field, we advise you not to provide any personal data unless it is considered highly necessary. Hydro only processes the personal data required for the purpose of following up your specific request. Hydro’s legal basis for such processing is our legitimate business interest.
Subscribers to our newsletters
You may receive marketing communications, including newsletters, to the extent you have requested such information from us and provided your consent. If you subscribe to receive such communication, we will collect and store your name and email address to be able to send you the materials requested. For processing based on your consent, you can withdraw this at any time.
Communication via social media
Hydro maintains an active presence on multiple social media platforms to better connect and inform stakeholders, including, but not limited to Facebook, Instagram, LinkedIn, YouTube and X (Twitter). As with the website, Hydro may collect and process certain personal data of visitors and followers on these networks for marketing and recruitment purposes. This data is provided to Hydro by each social media platform, and the level of data collected varies with their respective practices and users' privacy settings. Typically, the data handed to Hydro is related to demographic information, as well as username, email address, and profile picture. Hydro’s legal basis for such processing is our legitimate business interest. Each social media provider will, in addition, process users’ personal data as stated in their respective privacy notices.
Hydro’s business partners may include third parties such as agents and intermediaries, strategic business partners, suppliers, and customers.
If you are one of Hydro’s business partners, we will collect and process personal data about you for the purpose of managing our professional relationship. The type of data collected will depend on our relation, but will typically include name and professional email address, the name of your employer and your role in that company. If our relationship involves payments being made to/from you as a named individual, additional information such as your date of birth and nationality may also be required to ensure correct identification.
We mainly process personal data for the above purposes based on your consent, or in pursuit of Hydro’s legitimate business interests. We may also rely on other legal bases for processing business partner data, including for performance of a contract, compliance with legal obligations or in relation to legal claims and proceedings. When processing is based on your consent, you can withdraw this at any time. Withdrawing your consent will not affect the lawfulness of the processing based on the consent prior to you withdrawing it.
Integrity Due Diligence (IDD) and business partner risk management:
As part of managing our third-party risk exposure, Hydro will collect and process information about our business partners to ensure an effective and sufficient IDD process. The purpose of an IDD is to identify actual or potential risks related to areas such as corruption, improper payments or human rights, in addition to potential problems such as insolvency, credit issues, court judgements or commercial failures connected to our business partners. The IDD is carried out to assess whether the business partner's conduct is acceptable, both prior to and during the (potential) business relationship.
To the extent necessary considering the relationship and transaction at hand, we may be required to collect additional information about individuals such as political exposure, sanctions listings, conflicts of interest, legal claims or suspicions of illegal activities, as well as other substantiated reputational issues which could have a direct or indirect adverse effect on Hydro.
Hydro’s legal bases for processing personal data in the IDD process is to comply with legal obligations, to pursue our legitimate business interests and to establish, exercise or defend legal claims.
Hydro is required to collect certain personal data about its board members and their relations for several purposes, including to ensure compliance with obligations placed on us as a publicly traded company. We also process personal data about board members for administration purposes, and we may collect and share relevant information about our board members’ education, career, and experience on our website.
Hydro’s legal basis for processing personal data of Hydro’s board members will depend on the specific purpose of the processing at hand. Applicable legal bases are consent, compliance with legal obligations and/or Hydro’s legitimate business interests.
If deemed necessary, Hydro may request access to information about underlying shareholders. This may involve details about ownership on an individual level and include personal data about individual shareholders, such as name, address, and number of shares in Hydro.
Hydro’s purpose for processing personal data about our shareholders is to ensure compliance with the requirements and expectations placed on publicly traded companies in different jurisdictions. The legal basis for this processing activity is Hydro’s legitimate business interests and compliance with legal obligations.
Hydro will always strive to ensure personal data is only shared with and/or transferred to third parties in accordance with the Hydro Data Protection Procedure and applicable data protection law. If we rely on third-party subcontractors to deliver services or IT systems that processes personal data on Hydro’s behalf, a Data Processing Agreement (DPA) or equivalent contract will be in place with said third-party.
Subject to applicable laws and Hydro’s Data Protection Procedure, personal data may be disclosed to third parties as:
- companies within the Hydro Group (as described in the introduction),
- external service providers acting as Data Processors,
- as necessary, third-party providers of professional services acting as independent Data Controllers, such as law-firms, banks, or certified auditors, and
- public authorities acting as Data Controllers, when mandated by law.
If the sharing of personal data involves a transfer of data protected under EEA law to third countries without a sufficient level of data protection, Hydro will always strive to ensure this transfer does not take place until additional safeguards such as the EU Standard Contractual Clauses (SCCs) or similar mechanisms are in place.
About individuals’ data privacy rights and how to contact us
If we are processing personal data about you, you may at any time reach out to us with questions, concerns, or complaints. You can email us on email@example.com or use the contact form on our website (choose topic: “Data Privacy”). You may also approach one of our local Data Privacy Officers, where appointed. Certain Hydro group entities are required per law to appoint a local Data Protection Officer.
Upon request, you have the right to be informed about any personal data we may process about you. You may request the deletion of any excessive personal data or ask for corrections should you believe the data is incorrect.
If you are not satisfied with our response to your request or how we addressed your concerns, you may contact the Norwegian Data Protection Authority, Datatilsynet, to lodge a complaint. As an EU resident you may also choose to contact your local Data Protection Authority.
To learn more about individuals’ rights under applicable EU data protection law, please read more on Datatilsynet’s website (available in both Norwegian and English).