oppd. 23.10.21

PRIVACY

1 Introduction

1.1.Purpose

Creating opportunities together with this privacy statement will document that we take care of our users and data subjects' information and that we process these in accordance with current Norwegian privacy law, including the EU Privacy Regulation (GDPR).

The privacy statement provides an overview of what rights our users and registered persons have related to their personal information. It contains information about which personal information Create opportunities together:

  • collects, processes and stores

  • what kind of information is used about our users

  • what the information is used for

  • how a user can gain access to what information is stored

  • how to request that their personal information be deleted

  • which data processors and third parties have access to the information

  • how we protect the privacy of registered users.

1.2.Definitions

By the registered or user we mean the person to whom the information applies, for example an employee, a volunteer, a recipient of Create opportunities' offers and activities, a donor, someone who subscribes to Create opportunities together their newsletter, or a contact person at a supplier. In practice, this means all persons we process and store information about.

Personal information is information and assessments that can be linked to an identifiable individual. Examples of such information are name, address, date of birth and birth number, telephone number, recognizable image, e-mail address and dynamic IP address.

Processing of personal data is any use of personal data, such as collection, registration, compilation, storage and disclosure or a combination of such uses. All processing of personal data is subject to the current Personal Data Act.

The person responsible for processing is responsible for following the rules. A company or organization is considered to be responsible for processing when it determines the purpose of the processing of personal data and how they are to be used. The organization retains responsibility even if a third-party data processor, such as system vendors, authorities or accountants, are involved. Such are considered data processors. The organization is responsible for having an agreement with each of these that will ensure that this data processor follows the rules that apply to the organization. More about this in section 3.4.

2.Rights

2.1.Right of access (GDPR Article 15)

The registered person has the right to access whether and what information we have stored about him / her. Anyone who wants access can send an inquiry to elisabeth@skapems.no and mark the email with «Access to personal information». The inquiry will then be forwarded to the correct person responsible for processing and a response to the request must be available within one month of the inquiry being received (GDPR Article 12). If it is not possible to process the request within this deadline, information about this will be provided within one month of receiving the inquiry.

2.2.The right to be forgotten (GDPR Article 17)

According to the law, the registered person has the right to demand deletion of his own personal data. This is called the right to be forgotten. The data subject may demand that information about him / her be deleted, including when;

a. it is no longer necessary to take care of the information in order to achieve the purpose of the processing

b. the processing is based on consent, and the consent is withdrawn

c. the data subjects have the right to oppose the processing of personal data

d. the personal data has been processed in violation of the rules

e. the personal information has been collected in connection with children's use of online services

Creating opportunities together wishes - for statistical purposes - to continue storing certain information pursuant to Article 89 of the GDPR. The following information is to be retained after deletion of other personal data related to the person in question:

  • Volunteer / coordinator / board member - gender, age, nationality, date / period of activity.

  • Donors - gender, age, postcode, donated amount, month / year for donation

Personal data may be processed on the basis of Article 6 (1) (e) of the Privacy Regulation if it is necessary for archival purposes in the public interest, purposes related to scientific or historical research or statistical purposes, even if it is no longer necessary for its original purpose. The processing shall be covered by the necessary guarantees in accordance with Article 89 (1) of the Privacy Regulation.

Pursuant to Article 89 (1) of the GDPR, technical and organizational measures must be introduced to ensure in particular that the principle of data minimization is complied with. Creating opportunities together ensures that the information that remains stored is anonymized and encrypted. Furthermore, the information will only be processed to document the organization's activities to the tax authorities, public bodies or the like in connection with application processes, information work and situations that are required to account for the organization's work and results.

Special categories of personal information

The processing of personal data on racial or ethnic origin, political opinion, religion, belief or trade union membership, as well as the processing of genetic and biometric data for the purpose of uniquely identifying a natural person, health or sexual information or sexual orientation, is pursuant to Article 9 (1) of the GDPR prohibited.

However, there are exceptions to this prohibition (Article 9 (2) (j)), inter alia for statistical purposes. The preconditions are that the processing takes place in accordance with Article 89 (1) on the basis of Union law or the national law of the Member States, which must be proportionate to the objective pursued, be compatible with the fundamental content of the right to protection of personal data and ensure appropriate and special measures to protect the data subject's fundamental rights and interests. This means that if a data subject wishes to have all his information deleted, personal data can still be processed without the data subject's consent if the processing is necessary for archival purposes in the public interest, purposes related to scientific or historical research or statistical purposes and society's interest in processing place, clearly exceeds the disadvantages of the individual.

Creating opportunities together considers that society's interest in the treatment taking place clearly exceeds the disadvantages for the individual. It is of course possible to appeal against this, see below in section 2.6 on the right to appeal.

Anyone who wants their personal information deleted can send an inquiry to elisabeth@skapems.no and mark the email with «Deletion of personal information». The inquiry will then be forwarded to the correct person responsible for processing and a response to the request must be available within one month of the inquiry being received. If it is not possible to process the request within this deadline, information about this will be provided within one month of receiving the inquiry.

Creating opportunities together will, upon request from the data subject with a request for deletion of personal data, send a feedback that contains confirmation that the information that can identify the person has been deleted, as well as information about what information is desired to be retained by the organization. This is discussed above.

2.3. The right to demand restraint (GDPR Articles 18 and 19)

If the data subject does not want information to be deleted or denies that the information is correct, he or she can demand that the processing of personal data be restricted. Restriction means that the information is stored and can only be used:

a. with the consent of the data subject

b. to defend a legal claim

c. to defend another's rights, or

d. to safeguard important societal interests

When the information is to be deleted or limited, the data controller has a duty to convey this to everyone who has received the personal information, unless this is disproportionate or impossible.

2.4. The right to data portability (GDPR Article 20)

If someone processes personal data based on consent, for example to fulfill an agreement with the data subject, the data subject can demand to take his data with him to another company. This is called data portability. If it is technically possible, the data subject can demand that the data controller make sure to transfer the information to the new business.

The information shall be in a structured, commonly used and machine-readable format. The right to data portability does not apply to processing that is necessary to carry out tasks in the interest of society or during the exercise of public authority.

2.5.The right to oppose treatment

Individuals have the right to reserve the right to have their personal data processed in certain cases. All processing of personal data shall have a processing basis. What constitutes a valid basis for treatment is stated in GDPR Articles 6 and 9. Whether the individual can make a reservation depends on what the basis for treatment is or what the purpose is. Individuals can make reservations if:

a. The information is processed because it is necessary to perform a task in the public interest or exercise public authority according to the regulation art. 6 (1) (e)

b. The information is processed on the basis of a balance of interests according to art. 6 (1) (f)

c. The purpose of the treatment is direct marketing (regardless of what the treatment basis is)

If a person objects, the data controller must stop processing the personal data and delete them. The data controller may nevertheless continue to process the personal data if the company can point to compelling, justified reasons for the processing that take precedence over the individual's privacy and rights (see above in section 2.2). The same applies if the processing is necessary to meet a legal claim. The exception does not apply when the purpose is direct marketing. Then the individual always has the right to oppose. Donors have the opportunity to decide what kind of information and inquiries they want to receive, and can contact elisabeth@skapems.no to update consents and reservations.

2.6. Right of appeal

Users / registrants have the right to complain to the Data Inspectorate about the processing of their personal data, if they believe it has been done in violation of current privacy rules.

3.Personal information - processing and storage of this

3.1.What information do we collect

Depending on the type of user the registered person is and what role it has, we collect information that is necessary for the organization's activities.

About recipients of our newsletters, we store email address. First name, last name and telephone number are stored if the recipient has provided this.

About donors / those who donate money to the organization, we store information that the person himself has given us. This can be name, date of birth, address, email address and phone number. We do not store, but have available information about any username on Facebook (through fundraising campaigns on Facebook).

For future, active or former volunteers, we store the following personal information that they themselves have provided to us:

  • Volunteers in Norway - name, nationality, age / date of birth, telephone number, e-mail and start and end date.

  • Board members - name, nationality, date of birth, birth number, telephone number, address, e-mail and occupation, copy of passport, and start and end date.

  • Coordinators - name, nationality, date of birth, birth number, account number, employment contract, telephone number, address, e-mail, work experience, copy of passport, national ID card, certificates from police and prison authorities and start and end date.

  • Volunteers in Honduras - name, nationality, date of birth, birth number, telephone number, address, e-mail, work experience, copy of national ID card, based on liability, certificates from police and prison authorities and start and end date.

  • Recipients - name, nationality, date of birth, birth number, telephone number, address, e-mail, work experience, copy of national ID card, birth certificate (children - under 18 years), transcript (upon receipt of student aid), request / application, contract and start and end date.

When shopping in our online store, the name, address, email address and which products they have purchased are stored.

3.2. The personal information is collected as follows:

Receiver of newsletters - via your own subscription to newsletters through our website, when buying a product in the online store and when you receive a gift. In all cases, consent is given to receive newsletters.

Donor / donor - via own registration, where the donor provides the information himself, as a regular donor through a bank or Vipps, or through a financial contribution given once.

Volunteers - by their personal contact to Create opportunities together, where the person in question provides information physically or digitally themselves.

Employee / coordinator - information is provided by the employee even before the preparation of the employment contract.

Buyer (online store trade) - the buyer provides the necessary information even when registering their purchase.

3.3. What is the information used for / purpose?

Personal information will not be stored longer than is necessary to fulfill the purpose of the processing. The purpose of processing / storing the different types of personal data depends on the type of involvement the data subject has in Creating opportunities together, and is stated in the various points described below:

  • Receiver of newsletters - in order to send out newsletters that the registered person has requested, we need to save an email address.

  • Donor / Donor - To be able to report to the tax authorities for those who want a tax deduction, as well as to ensure predictability and keep an overview of the organization's financial situation and to be able to compile statistics. To inform donors about the significance and effect the donor's contribution has.

  • Volunteer / coordinator / board member - we need information about the level of activity of volunteers, as well as nationality, gender and age in order to be able to plan participation and a good staffing when carrying out our work. Email address is required to send the person concerned information. In order to carry out the work at the relevant locations, information on personal data mentioned above is required from national authorities. Local authorities may also require some of the above-mentioned personal data to supervise or approve activities Creating opportunities together carry out. We need information about the relatives of volunteers and coordinators if it is necessary to get in touch with them if a crisis situation or an incident to which the person in question is exposed occurs. In accordance with the Working Environment Act, all employees must have employment contracts that must contain personal information described above. This is necessary to pay the right salary. Authorities and the insurance company need information related to pension and employee insurance.

  • Customer in online store - to be able to send out products purchased in our online store.

  • Recipient - to be able to document our work to government agencies and in the best possible way to manage the financial resources Create opportunities together receive.

3.4.Where the information is stored

The personal information is processed by third party system suppliers (data processors) in databases that we need to use to keep track of our work. Data processor agreements have been entered into with relevant actors. A more detailed description of the purpose of storing the information is given in the points above. The following data processors / institutions store information: Solidus, Sparebank 1 SR-Bank, WIX, Stripe, Facebook, Vipps, PayPal / Zettle, Microsoft.

Creating Opportunities together will not share, sell, disseminate or otherwise disclose personal information about the data subject in any way other than that set forth in this privacy statement unless we are required to do so as a result of a binding court decision or we have obtained the data subject's consent. However, this does not prevent us from using a data processor that processes the personal data on our behalf in accordance with the data processor agreement. Data processors who gain access to the data subject's / user's

personal data in connection with the provision of services to Create opportunities together - (for example when we use a third party to carry out payment transactions or store information on a web server) are subject to a duty of confidentiality, and they are not allowed to use this information in any other way than in execution of services for us, cf. GDPR article 28. All of these also have rules for the processing of personal data in accordance with the GDPR. Links to our system vendors '/ data processors' privacy statements:

WIX: https://no.wix.com/about/privacy

Solidus: https://solidus.no/personvernerklaering/

Sparebank 1 SR-Bank: https://www.sparebank1.no/nb/sr-bank/om-oss/personvern.html

Facebook: https://www.facebook.com/privacy/explanation

Vipps: https://www.vipps.no/vilkar/cookie-og-personvern

Microsoft: https://privacy.microsoft.com/nb-en/privacystatement

PayPal: https://www.paypal.com/myaccount/privacy/privacyhub?locale.x=no_NO

Zettle: https://www.zettle.com/no/juridisk/personvernerklaering

Stripe: https://stripe.com/en-no/privacy

4.Security / Securing of personal information / routines

4.1.R routines and measures

We have established routines and measures at various levels to ensure that unauthorized persons do not gain access to users '/ registered persons' personal information and that all processing of the information in general takes place in accordance with applicable law. The measures include regular risk assessments, technical systems and physical procedures to ensure information security and routines for verifying access and correction requests. Routines and measures have been introduced if discrepancies are discovered in the processing or storage of personal data.

4.2.Use of analysis tools, cookies and other technology

We work continuously with the user experience on our website. Therefore, we collect different types of information from our users, so that we can at all times facilitate the best possible functionality. Examples of such information are which pages are visited, when in the day the visit was made and which browser was used. We also use various forms of technology to recognize our users and to analyze data about them. The technology is used partly because it is necessary for services to work, partly for it to be easier to use the service and partly for us to be able to carry out analyzes that enable us to further develop our service. By using our service, users agree that we may use such tools, unless they disable the tools, for example by changing cookie settings in their browser, or disable a third-party tool by clicking on an opt-out link.