Privacy Policy – A Drop in the Ocean
Applicable as of June 10, 2018.
Updated August 1, 2020
Version: 3.
Contents
1 Introduction
2.Rights
3.Personal data – processing and storage of these
4.Security / Securing of Personal data
1 Introduction
1.1. Purpose
A Drop in the Ocean’s intention with this Privacy Statement is to document that we care for all registered subject and users’ data and that we treat these in accordance with current Norwegian privacy legislation, including the EU’s Privacy Policy (GDPR).
The Privacy Statement provides an overview of the rights of our registered subjects’ and users’ data. It contains information about what personal data A Drop in the Ocean collects, processes and stores, and what data is processed about our users, what the data is used for, how to request access to or deletion of the users’ personal data, which data processors and third parties have access to the information, and how we protect the registered subjects’ privacy.
1.2 Definitions
By registered subject, the registrant or user we mean the person the data concerns, e.g. an employee, a volunteer, a field worker, a beneficiary (refugee), a contributor, a newsletter subscriber, or a supplier’s contact person. In practice, this includes all persons we process and store data about.
Personal data is data and assessments that can be linked to an identifiable person. Examples of personal data are; name, address, date of birth, social security number, tax number or other personal identification numbers, telephone number, recognisable photo, e-mail address and dynamic IP-address.
Processing of personal data includes any use of personal data, e.g. fundraising, registration, assembly, storage and extradition or a combination of such uses. All processing of personal data is governed by the personal data regulation applicable at any given time.
A data controller is in charge of overseeing that these regulations are complied with at all times. A company or an organisation is considered to be responsible for the data processing upon determining the purpose of processing personal data and how to use it. The organisation remains responsible even if a third-party data processor, as for example system suppliers, authorities or accountants, is involved. The organisation is responsible for making the data processors understand that the organisation’s regulations apply. More information on this subject under section 3.4.
2. Rights
2.1. Right of access (GDPR Article 15)
The registered subject has the right to gain insight into whether and what data we have stored about him / her. Anyone wishing to access this data may send an e-mail to post@drapenihavet.no and mark the e-mail with “Personal Data Inspection”. The request will then be communicated to our data controller and the response to the request will be available within one month after the e-mail has been received (GDPR Article 12). If it is not possible to process the request within this deadline, information will be given within one month of receipt of the request.
2.2 Right to erasure (GDPR article 17)
Under the legislation, the registered person has the right to demand the deletion of his / her personal data. This is called the right to erasure / right to be forgotten. The registrant may require that information about him / her be deleted when;
- it is no longer necessary to keep the information in order to achieve the purpose of the processing,
- the processing is based on consent and the consent is withdrawn,
- the registered persons have the right to oppose the processing of personal data
- personal information has been processed in violation of the rules,
- personal data have been collected in connection with children’s use of online services.
A Drop in the Ocean will – for statistical purposes – continue to store certain data on the basis of Article 89 of the GDPR. The following information is stored after deletion of other personal data:
About volunteer field workers
– Gender
– Age
– Nationality
– Location and period for field work
About financial donors
– Gender
– Age
– Zip code / post code
– Donated amount
– Month/year of donation
About refugees
– Gender
– Age
– Nationality
Personal data may be processed on the basis of Article 6 (1) (e) of the Privacy Regulation if it is necessary for archival purposes in the public interest, purposes related to scientific or historical research or statistical purposes, although it is no longer necessary for its original purpose. The processing shall be covered by the necessary guarantees in accordance with Article 89 (1) of the Personal Data Protection Ordinance.
In accordance with Article 89 (1) of the GDPR, technical and organisational measures must be introduced to ensure in particular that the principle of data minimisation is complied with.
A Drop in the Ocean ensures that the remaining stored data will be anonymised and encrypted. The information will only be processed to document the organisations activities to the tax authorities, public bodies, etc. in connection with application processes, data processing and situations where it is required to account for the organisations work and results.
Special categories of personal data
Processing of personal data of a racial or ethnic origin, political opinion, religion, belief or union membership, as well as the processing of genetic data and biometric data for the purpose of unambiguously identifying an actual person, his/her health information, sexual relationship or sexual orientation, is prohibited under Article 9 of the GDPR.
However, this prohibition is exempted (Article 9 (2) (j)), for statistical purposes. The prerequisites are that the processing takes place in accordance with Article 89, paragraph 1, on the basis of Union law or the national law of the member states which must be proportionate to the objective sought, be consistent with the fundamental content of the right to protection of personal data and ensure appropriate and special measures to protect the registered persons fundamental rights and interests. That means that if a registrant wishes to delete all his/her information, personal data may still be processed without the consent of the data subject if the processing is necessary for archival purposes in the public interest, scientific or historical research, statistical purposes and if the interest of the community the processing takes place in, clearly outweighs any disadvantages for the subject.
A Drop in the Ocean considers the processing of this data to be in the interest of society and that any disadvantages to a single subject is clearly outweighed. In case of a disagreement on this, a complaint can be made. See below in section 2.6 on appeal.
Registered subjects who wish to have their personal data deleted can request so by sending an e-mail to post@drapenihavet.no and mark it “Deletion of personal data”. The request will then be communicated to our data controller and the response to the request will be available within one month after the e-mail has been received. If it is not possible to process the request within this deadline, information will be given within one month of receipt of the request.
A Drop in the Ocean will, upon request from the registered person for deletion of personal data, send a feedback containing confirmation that the information that identifies the person has been deleted as well as information about which information is requested kept.
2.3. The right to claim restriction (GDPR Articles 18 and 19)
If the registrant does not want information to be deleted or contest that the information is correct, he or she may require the processing of personal data to be limited. By limitation means that the information is stored and can only be used:
- with the consent of the registrant,
- in order to defend a legal claim,
- to defend someone else’s rights, or
- to safeguard important social interests
When the information is to be deleted or restricted, the data controller is obliged to convey this to all who have received the personal data unless this is disproportionate or impossible.
2.4. The right to data portability (GDPR Article 20)
If someone processes personal data based on consent, for example, in order to fulfil an agreement with the registered person, the registrant may require to bring his information to another organisation. This is called data portability. If technically feasible, the registrant may require that the data controller ensures that the data is transferred to the new organisation.
The information should be in a structured, widely used and machine-readable format. The right to data portability does not apply to processes that are necessary for carrying out tasks in the public interest or under public authority.
2.5. The right to oppose processing
Individuals have, in some cases, the right to object that their personal data is processed. All processing of personal data must have a processing objective. What valid processing objective entails is explained in GDPR Articles 6 and 9. Whether or not an individual can be exempt from data processing is dependent upon what the processing basis is or what the purpose is.
Individuals can be exempt if:
- The data is processed because it is necessary to carry out a task in the public interest or for public authority issues according to the nature of the regulation. 6 (1) (e)
- The data is processed on the basis of an interest analysis. 6 (1) (f)
- The purpose of the processing is direct marketing (regardless of what the processing objective is)
If an individual opposes, the data controller must stop processing the data and delete the personal data.
Nevertheless, the data controller may continue to process the personal data if the organisation can show compelling, justified grounds outweighing an individuals’ right to privacy (see also section 2.2). The same applies if processing is required to comply with a legal claim. This exception does not apply when the purpose is direct marketing. Then the individual is always entitled to oppose.
Donors / financial contributors can decide what type of information or inquiries they wish to receive. By contacting giver@drapenihavet.no one can update consent or restrictions.
2.6. Right to appeal
Users / registered persons have the right to appeal to The Norwegian Data Protection Authority regarding the processing of his/her personal information, if they believe it has been done in violation of current privacy policy.
3. Personal data – processing and storage of these
3.1. Which data we collect
Depending on what type of user the registered person is and the role he/she has, we collect information that is necessary for the organisation’s work.
About recipients of our newsletter, we will save the e-mail address. First name and last name are stored if the recipient has provided this to us.
About financial donors, we store information that they themselves have provided. This includes name, address, e-mail address, phone number, date of birth, gender, and encrypted social security number. We do not save but we do have Facebook username (through fundraisers on Facebook).
About future, current or former field workers we save information provided by the field worker when registering on our website; name, gender, nationality, date of birth, address, e-mail address, telephone number, occupation, experience from humanitarian work, as well as information given regarding next of kin (name and telephone number). In addition, we also save where the volunteer has worked in the field and what period he/she was at the location. Field workers provide the organisation with their criminal background check, insurance information and passport number or copy of passport. Field workers also fill out a self-declaration form which includes information mentioned above.
Applications and CV sent to us from prospective administrative volunteers or field coordinators, are stored in our email system and in our electronic staff archive.
About employees in A Drop in the Ocean, we store name, address, telephone number, social security number, bank account number and address in our payroll system and in our electronic staff register, where we also store the employment contract.
In regards to refugees participating in activities or receiving assistance (clothing, shoes, food, diapers, other help or support) from A Drop in the Ocean, the following information is stored: name, age or date of birth, ID number, nationality and address (e.g, container number in the refugee camp), clothing- and shoe size.
Upon purchase in our online store, information about name, address, e-mail address and what products were purchased, is saved.
3.2 The information is collected as follows
Newsletter recipients
When registering for our newsletters through our website, consent is given to receive newsletters.
Financial contributors / donors
Contributors/donors register the information themselves, as a regular donor through bank or SMS or financial contribution given once. We receive the social security number through an encrypted link. As with contributions to fundraising campaigns on Facebook, information is provided by the contributor.
Field worker
The field worker registers a personal profile on our website. Here he/she can tic the box for consent for the storage and process of personal data. When a field worker is accepted for a volunteer assignment, he/she will be asked to provide us with copy of passport/passport number, insurance details, criminal background check, as well as filling out a form with personal information that is forwarded to the camp management where he/she will be volunteering. This information is recorded in our email-system and electronic archive. The field worker provide us with their address at the location and next of kin, which is kept by coordinators as long as the field worker is present.
Applicants (for voluntary work)
Information is stored from the applicants e-mail contact to a Drop in the Ocean, this information is submitted by the applicant.
Employee
Information is provided by the employee prior to writing a contract of employment, as well as collected from the Tax Administration.
Refugee
Information is obtained when he/she provide their personal information in a conversation with representatives from A Drop in the Ocean. Or if given to A Drop in the Ocean by the representatives from the management of the refugee camp.
Buyer (online store)
The buyer provides the necessary information when they register their purchase.
3.3. What is the information used for/what is its purpose?
Personal data will not be stored longer than necessary to fulfil the purpose of the processing. The purpose of processing / storing the different types of personal data depends on the type of commitment the registrant has in A Drop in the Ocean, and is explained in the following list:
Newsletter recipient:
In order to send out newsletters as requested by the recipient, it is necessary that we save the e-mail address.
Financial contributor
In order to report to the tax authorities if the contributor wants tax deductions, as well as to ensure predictability and keep an overview of the organisation’s financial situation and to prepare statistics.
To inform contributors about the importance and effect of their contributions.
To ensure that the contact information and potential reservations we have registered on our contributors are updated, our data controller will do regular checks against the Norwegian National Population Register.
Field worker
We need information about the length of the assignment, nationality, gender, and age in order to plan for the coming assignment and ensure sufficient number of field workers at all locations.
- E-mail address is necessary in order to send out important information about the assignment.
- In order to be accepted as a field worker with A Drop in the Ocean, it is required by national government to provide the personal data mentioned above.
- Local authorities may also require some of the abovementioned personal data in order to get access to the camp.
- Information about the field worker’s next of kin is saved in case of an emergency, crisis situation or event involving the volunteer field worker.
Employee
According to the Norwegian Working Environment Act, all employees must have employment contracts containing the personal information described above. This is necessary to register employees in our payroll system and to pay the correct salary. The insurance company needs information relating to retirement and employee insurance.
Refugee
To ensure that refugees become part of our distribution where we provide such services as well as registering them to our activities. We must have an overview of what is distributed at any given time to ensure fairness. In order to plan what is needed in the times ahead, we rely on storing information related to refugees. We also need this information to be able to plan our human resources to activities as well as informing the relevant camp management.
Customer in online store
In order to send out products purchased in our online store, or to send a gift certificate for symbolic gifts.
3.4. Where information is stored
The personal information is processed by third parties data processors in their databases, required for us to use to keep track of our work. Data processing agreements have been compiled with relevant actors. Details of the purpose of storing the information are given in the above paragraphs. The following data processors/institutions save personal data:
– Solidus
– Paypal
– Tripletex
– Gjensidige
– Tax Administration
– DnB
– Amazon Web Services
– WordPress / WP Hotel
– Puzzel
– Stripe
– Facebook
– WhatsApp
– Vipps
– Mailchimp
– National government in Greece
– Local authorities at our locations in Greece
– Microsoft
– Givepanel
– Citrix
– Mobilise/Azure
– Iper Direkte
– Boxtribute/Google Cloud Services
A Drop in the Ocean will not divulge, sell, convey or otherwise disclose personal data about the registrant other than what is stated in this Privacy Statement, unless we are required to do so as a result of a binding court decision or we have obtained the consent of the registrant. However, this does not prevent us from using a data processor that processes the personal information on our behalf in accordance with the data processing agreement. Data processors who gain access the registered / user’s personal data in connection with services for A Drop in the Ocean (for example, when we use a third party to make payment transactions or store information on a web server) are subject to confidentiality and are not allowed to use this information in any other way than in the performance of services for us, as of the GDPR Article 28. All data processors we use have rules for processing personal data under GDPR.
Links to our system vendors / data vendors privacy statements:
Solidus: https://solidus.no/personvernerklaering/
Paypal: https://www.paypal.com/no/webapps/mpp/ua/privacy-full
Tripletex: https://www.tripletex.no/gdpr-og-personvern/
Gjensidige: https://www.gjensidige.no/personvern-og-sikkerhet
Norwegian tax Authorities : https://www.skatteetaten.no/om-skatteetaten/personvern/
DnB: https://www.dnb.no/om-oss/personvern.html
Amazon Web Services (AWS): https://aws.amazon.com/compliance/eu-data-protection/
WordPress/WPHotel: https://wphotell.unitedworks.no/vilkar-og-betingelser/
Puzzel: https://www.puzzel.com/uk/about-us/trust-centre/gdpr/
Stripe: https://stripe.com/guides/general-data-protection-regulation
Facebook: https://www.facebook.com/privacy/explanation
WhatsApp: https://www.whatsapp.com/security/?lang=nb
Vipps: https://www.vipps.no/vilkar/cookie-og-personvern
Mailchimp: https://mailchimp.com/legal/privacy/?_ga=2.55378347.1202434019.1528100659-579363101.1528100659
GivePanel: https://givepanel.com/privacy/
Citrix: https://www.citrix.com/about/legal/privacy/
Microsoft: https://privacy.microsoft.com/nb-no/privacystatement
Coogle Clooud Service: https://policies.google.com/privacy?hl=en
Iper Direkte: https://sites.google.com/a/iper.no/iperbetingelser/home/gdpr-policy
4. Security / Protection of Personal Information / Routines
4.1. Routines and measures
We have established routines and measures at different levels to ensure that unauthorized persons do not gain access to the registered/user’s personal data and that all processing of the information is in accordance with applicable law. These measures include regular risk assessments, technical systems and physical procedures to safeguard information security and routines to verify inspection and rectification requests. All users of A Drop in the Ocean’s IT-systems have signed “Instruction for electronic communication and privacy policy” describing how we protect and handle sensitive personal data and make sure that personal information do not get lost. We have also implemented routines and measures in case of discrepancies in processing and storing of personal data.
4. 2 Use of analytics tools, cookies, and other technologies
We continuously work with the user experience on our website. Therefore, we collect different types of information from our users so that we can always provide the best possible functionality. Examples of such information are which pages are visited, at what time and what kind of browser was used. We also use different types of technology to recognise our users and to analyse data about these. The technology is used partly because it is necessary for services to function, partly because it will be easier to use the service and partly to enable us to carry out analyses that enable us to further develop our service. By using our service, users agree that we may use such tools unless they disable them, for example, by changing settings for cookies in their browser, or disabling a third-party tool by clicking on an opt-out link.
What are cookies?
A cookie is a small text file stored on the user’s PC / mobile phone / tablet, which helps us make the visits to our sites more meaningful and positive to the user. For example, cookies may contain user settings and information about how they have surfed and used our website, etc. The web application that allows you to register a personal profile uses cookies to save user preferences in the browser. Use of cookies is required to use this service.
How do we use cookies?
We use cookies to facilitate the use of our service and to provide our users with relevant information when they visit our site. Cookies are also used to measure traffic on our website, to gather statistics and to improve our service. In addition, we can use third-party cookies to measure and analyse traffic and the use of our website, track behaviour to build audiences for marketing purposes, simplify ad management, and improve the functionality of the webpages.
How can users view which cookies are stored in the browser?
The browser settings usually contain an overview of all cookies that are stored so that one can view and delete unwanted cookies. The browser usually stores all cookies in a specific folder on the hard drive, so that one can examine the content in detail.