Privacy Statement – A Drop in the Ocean

Applicable as of June 7, 2018. Updated June 7, 2018. Version: 1

Contents

1 Introduction
2.Rights
3.Personal data – processing and storage of these
4.Security / Securing of Personal data

1 Introduction

1.1. Purpose

A Drop in the Ocean’s intention with this Privacy Statement is to document that we care for all registered subject and users’ data and that we treat these in accordance with current Norwegian privacy legislation, including the EU’s new Privacy Policy (GDPR).

The Privacy Statement provides an overview of the rights of our registered subjects´ and users’ data. It contains information about what personal data A Drop in the Ocean collects, processes and stores, and what data is processed about our users, what the data is used for, which data processors and third parties have access to the information, and how we protect the registered subjects’ privacy.

1.2 Definitions

By registered subject, the registrant or user we mean the person the data concerns., e.g. an employee, a volunteer, a contributor or a supplier’s contact person. In practice, this includes all persons we process and store data about.

Personal data is data and assessments that can be linked to an identifiable person. Examples on these kinds of data are; name, address, date of birth, telephone number and e-mail address.

Processing of personal data includes any use of personal data, e.g. fundraising, registration, assembly, storage and extradition or a combination of such uses . All processing of personal data is governed by the personal data regulation applicable at any given time .

A data controller is in charge of overseeing that these regulations are complied with at all times. A company or an organisation is considered to be responsible for the data processing upon determining the purpose of processing personal data and how to use it. The organisation remains responsible even if a third party data controller, like a system supplier or accountant is involved. The organisation is responsible for making the data controllers understand that the organisations’ regulations apply. More information on this subject in 3.4

2. Rights

2.1. Right of access (GDPR Article 15)

The registered subject has the right to gain insight into whether and what data we have stored about him / her. Anyone wishing to access this data may send an e-mail to post@drapenihavet.no and mark the e-mail with “Personal Data Inspection”. The request will then be communicated to our data controller and the response to the request must be available within one month after the e-mail has been received (GDPR Article 12). If it is not possible to process the request within this deadline, information will be given within one month of receipt of the request.

2.2 Right to erasure (GDPR article 17)

 Under the new legislation, the registered person has a clearer right to demand the deletion of his / her personal data. This is called the right to erasure / right to be forgotten. The registrant may require that information about him / her be deleted when;

  1. It is no longer necessary to keep the information in order to achieve the purpose of the processing
  2. The processing is based on consent and the consent is withdrawn
  3. The registered persons have the right to oppose the processing of personal data
  4. Personal information has been processed in violation of the rules
  5. Personal data have been collected in connection with children’s use of online services

A Drop in the Ocean wants – for statistical purposes – to continue to store certain data on the basis of Article 89 of the GDPR.

The following information is stored after deletion of other personal data:

About volunteers in the field:
– Gender
– Age
– Nationality
– Location and period for field work

About donors:
– Gender
– Age
– Donated amount
– Month / year of donation

Personal data may be processed on the basis of Article 6 (1) (e) of the Privacy Regulation if it is necessary for archival purposes in the public interest, purposes related to scientific or historical research or statistical purposes, although it is no longer necessary for its original purpose. The processing shall be covered by the necessary guarantees in accordance with Article 89 (1) of the Personal Data Protection Ordinance.

In accordance with Article 89 (1) of the GDPR, technical and organisational measures must be introduced to ensure in particular that the principle of data minimisation is complied with.
A Drop in the Ocean ensures that the remaining stored data will be anonymised and encrypted. The information will only be processed to document the organisations activities to the tax authorities, public bodies etc in connection with application processes, data processing and situations where it is required to account for the organisations work and results.

Special categories of personal data
Processing of personal data of a racial or ethnic origin, political opinion, religion, belief or union membership, as well as the processing of genetic data and biometric data for the purpose of unambiguously identifying an actual person, his/her health information, sexual relationship or sexual orientation, is prohibited under Article 9 of the GDPR.

However, this prohibition is exempted (Article 9 (2) (j)), for statistical purposes. The prerequisites are that the processing takes place in accordance with Article 89, paragraph 1, on the basis of Union law or the national law of the member states which must be proportionate to the objective sought, be consistent with the fundamental content of the right to protection of personal data and ensure appropriate and special measures to protect the registered persons fundamental rights and interests.

That is, if a registrant wishes to delete all his/her information, personal data may still be processed without the consent of the data subject if the processing is necessary for archival purposes in the public interest, scientific or historical research, statistical purposes and if the interest of the community the processing takes place in,clearly outweighs any disadvantages for the subject.

A Drop in the Ocean considers that the processing of this data is in the interest of society and that any disadvantages to a single subject is clearly outweighed. In case of a disagreement on this, a complaint can be made. See below in section 2.6 on appeal.

A drop in the Ocean will, upon request from the registered person for deletion of personal data, send a feedback containing confirmation that the information that identifies the person has been deleted as well as information about which information is requested kept.

2.3. The right to claim restriction (GDPR Articles 18 and 19)

If the registrant does not want information to be deleted or contest that the information is correct, he or she may require that processing of personal data be limited. By limitation, it is meant that the information is stored and can only be used:

  1. With the consent of the registrant,
  2. In order to defend a legal claim,
  3. To defend someone else’s rights, or
  4. to safeguard important social interests

When the information is to be deleted or restricted, the data controller is obliged to convey this to all who have received the personal data unless this is disproportionate or impossible.

2.4. The right to data portability (GDPR Article 20)

If someone processes personal data based on consent, for example, in order to fulfill an agreement with the registered person, the registrant may require to bring his information to another organisation. This is called data portability. If technically feasible, the registrant may require that the data controller ensures that the data is transferred to the new organisation.

The information should be in a structured, widely used and machine-readable format. The right to data portability does not apply to processes that are necessary for carrying out tasks in the public interest or under public authority.

2.5. The right to oppose processing

Individuals have, in some cases, the right to object that their personal information is processed. All processing of personal data must have a processing objective. What a valid processing objective entails is explained in Articles 6 and 9 of the regulation. If an individual can be exempt from data processing is dependent upon what the processing basis is or what the purpose is.

Individuals can be exempt if:

  1. The data is processed because it is necessary to carry out a task in the public interest or for public authority issues according to the nature of the regulation. 6 (1) (e)
  2. The data is processed on the basis of an interest analysis. 6 (1) (f)
  3. The purpose of the processing is direct marketing (regardless of what the processing objective is)

If an individual opposes, the data controller must stop processing the data and delete the personal data. This applies regardless of the method of processing.

Nevertheless, the data controller may continue to process the personal data if the organisation can show compelling, justified grounds outweighting an individuals´ right to privacy (see also section 2.2 on continued processing of data for statistical purposes). The same applies if processing is required to comply with a legal claim. This exception does not apply when the purpose is direct marketing.

Then the individual is always entitled to oppose

2.6. Right to appeal

Users / registered persons have the right to appeal to Datatilsynet regarding the processing of his/her personal information, if they believe it has been done in violation of current privacy policy.

3. Personal data – processing and storage of these

3.1. Which data we collect

Depending on what type of user the registered is and the role he/she has, we collect information that is necessary for the organisation’s work.

About recipients of our newsletter, we will save the e-mail address and first name.

About financial donors, we store information that they themselves have provided. This includes name, address, e-mail address, phone number, gender, and encrypted social security number. We do not save, but have available username on Facebook (through fundraisers on Facebook).

About volunteers / users (not field workers) we store information provided to us by the volunteer on his/her personal profile registered on our website. This includes name, gender, nationality, date of birth, address, e-mail address, telephone number, medical grade and license number, as well as information given regarding next of kin (name and telephone number).

About future, current or former field workers we save information provided by the volunteer on the personal profile registered on our website; name, gender, nationality, date of birth, address, e-mail address, telephone number, medical grade and license number, as well as information given regarding next of kin (name and telephone number). In addition, we also save where the volunteer has worked in the field and what period he/she was at the location. We have also saved the volunteer’s passport number, or copy of passport.
For former field workers who receive the evaluation form from us, we have an IP address (from those who answer the evaluation), but this data will be deleted immediately upon sending and receiving a reply.

Applications and CV sent us from prospective administrative volunteers or field coordinators, are stored in our email system and in our electronic staff archive.

About employees in A Drop in the Ocean, we store name, social security number, bank account number and address in our payroll system and in our electronic staff register, where we also store the employment contract. The signed original of the employment contract is also stored in a locked closet at our office.

In regards to refugees receiving assistance (clothing / shoes / food / other help or support) from A Drop in the Ocean, the following information is stored in our DropApp: Name, age, nationality and address (eg container number in the refugee camp)

Upon purchase in our online store, information about name, address, e-mail address and what products were purchased, is saved.

3.2 The information is collected as follows

Newsletter recipients
When registering for our newsletters through our website, consent is given to receive newsletters.

Financial contributors / donors
Contributors/donors register the information themselves, as a regular donor through bank or SMS or financial contribution given once. We receive the social security number through an encrypted link. As with contributions to fundraising campaigns on Facebook, information is provided by the contributor.

Volunteer (including field worker)
The volunteer register a personal profile on our website. Here he/she can tic the box for consent for the storage of information. When a field worker is accepted for a voluntary trip, he/she is asked to provide us with either a copy of passport or his passport number. This information is recorded in the personal profile, or as a hard copy on location in the field.

Applicants (for voluntary work)
Information is stored from the applicants e-mail contact to a Drop in the Ocean, this information is submitted by the applicant.

Employee
Information is provided by the employee prior to writing a contract of employment, as well as collected from the Tax Administration.

Refugee
Information is obtained from a refugee when he/she provide their personal information in a conversation with representatives from A Drop in the Ocean. Or given A Drop in the Ocean by the management in the refugee camp

Buyer (online store shop)
The buyer provides the necessary information when they register their purchase

3.3. What is the information used for/what is its purpose?

Personal data will not be stored longer than necessary to fulfill the purpose of the processing. The purpose of processing / storing the different types of personal data depends on the type of commitment the registrant has in A Drop in the Ocean, and is explained in the following list:

Newsletter recipient:
In order to send out newsletters as requested by the recipient, it is necessary that we save the e-mail address.

Financial contributor
In order to report to the tax authorities if the contributor wants tax deductions, as well as to ensure predictability and keep an overview of the organisation’s financial situation and to prepare statistics.

Volunteer
We need to save information about the start and end date, as well as nationality, gender and age of the volunteer, to plan the participation and staffing at our locations. We need personal data to be able to send information to volunteer field workers. At some of our locations, passport or copy of passport is required from national or local authorities to access the camp.
Information about volunteer fieldworkers’ next of kin is saved in case of an emergency, crisis situation or event involving the volunteer field worker.

Employee
According to the Working Environment Act, all employees must have employment contracts containing the personal information described above. This is necessary to register employees in our payroll system and to pay the correct salary. The insurance company needs information relating to retirement and employee insurance.

Refugee
To ensure that refugees become part of our distribution where we provide such services. We must have an overview of what is distributed at any given time, to ensure fairness. In order to plan what is needed in the times ahead, we rely on storing information related to refugees.

Customer in online store
In order to send out products purchased in our online store, or to send a gift certificate for symbolic gifts.

3.4. Where information is stored

The information is processed by data controller databases, required for us to use to keep track of our work. Data processing agreements have been compiled with these businsses. Details of the purpose of storing the information is given in the above paragraphs. The following businesses save data:

– Solidus
– Paypal
– Tripletex
– Reciprocal
– Tax Administration
– DnB
– Amazon Web Services
– WordPress / WP Hotel
– puzzel
– Stripe
– Pro ISP
– Survey Monkey
– Facebook
– WhatsApp
– Vipps
– MailChimp
– Local authorities at our locations

A Drop in the Ocean will not divulge, sell, convey or otherwise disclose personal data about the registrant other than what is stated in this Privacy Statement, unless we are required to do so as a result of a binding court decision or we have obtained the consent of the registrant. However, this does not prevent us from using a data processor that processes the personal information on our behalf in accordance with the data processing agreement. Data providers who access the registered / user’s personal information in connection with services for A Drop in the Ocean (for example, when we use a third party to make payment transactions or store information on a web server) are subject to confidentiality and are not allowed to use this information in any other way than in the performance of services for us, as of the GDPR Article 28. All of these also have rules for processing personal data under the GDPR.

Links to our system vendors / data vendors privacy statements:

Solidus: https://solidus.no/personvernerklaering/

Paypal: https://www.paypal.com/no/webapps/mpp/ua/privacy-full

Tripletex: https://www.tripletex.no/gdpr-og-personvern/

Gjensidige: https://www.gjensidige.no/personvern-og-sikkerhet

Tax Authorities : https://www.skatteetaten.no/om-skatteetaten/personvern/

DnB: https://www.dnb.no/om-oss/personvern.html

Amazon Web Services (AWS): https://aws.amazon.com/compliance/eu-data-protection/

WordPress/WP Hotel: https://wphotell.unitedworks.no/vilkar-og-betingelser/

Puzzel: https://www.puzzel.com/uk/about-us/trust-centre/gdpr/

Stripe: https://stripe.com/guides/general-data-protection-regulation

Pro ISP: https://www.proisp.no/personvern/

SurveyMonkey: https://www.surveymonkey.com/curiosity/surveymonkey-committed-to-gdpr-compliance/

Facebook og Facebook Messenger: https://www.facebook.com/privacy/explanation

WhatsApp: https://www.whatsapp.com/security/?lang=nb

Vipps: https://www.vipps.no/vilkar/cookie-og-personvern

MailChimp: https://mailchimp.com/legal/privacy/?_ga=2.55378347.1202434019.1528100659-579363101.1528100659

4. Security / Protection of Personal Information / Routines

4.1. Routines and measures

We have established routines and measures at different levels to ensure that unauthorized persons do not gain access to your personal information and that all processing of the information is otherwise in accordance with applicable law. The measures include regular risk assessments, technical systems and physical procedures to safeguard information security and routines to verify inspection and rectification requests.

4. 2 Use of analytics tools, cookies and other technologies

We continuously work with the user experience on our website. Therefore, we collect different types of information from our users so that we can always provide the best possible functionality. Examples of such information are which pages are visited, at what time and what kind of browser was used. We also use different types of technology to recognise our users and to analyse data about these. The technology is used partly because it is necessary for services to function, partly because it will be easier to use the service and partly to enable us to carry out analyses that enable us to further develop our service. By using our service, users agree that we may use such tools unless they disable them, for example, by changing settings for cookies in their browser, or disabling a third-party tool by clicking on an opt-out link.

What are cookies?
A cookie is a small text file stored on the user’s PC / mobile phone / tablet, and helps us make the visits to our sites more meaningful and positive to the user. For example, cookies may contain user settings and information about how they have surfed and used our website, etc. The web application that allows you to register a personal profile uses cookies to save user preferences in the browser. Use of cookies is required to use this service.

How do we use cookies?
We use cookies to facilitate the use of our service and to provide our users with relevant information when they visit our site. Cookies are also used to measure traffic on our website, to gather statistics and to improve our service. In addition, we can use third-party cookies to measure and analyze traffic and the use of our website, track behavior to build audiences for marketing purposes, simplify ad management, and improve the functionality of the webpages.

How can users view which cookies are stored in the browser?
The browser settings usually contain an overview of all cookies that are stored so that one can view and delete unwanted cookies. The browser usually stores all cookies in a specific folder on the hard drive, so that one can examine the content in detail.