Norad’s Data Privacy Declaration

This declaration describes the way in which Norad collects and uses personal information

Data controller

Norad, represented by its director, is the data controller for processing of personal information by the institution. Information on delegation appears under each item where relevant. This delegation only encompasses practical activities, not responsibility.

 

This declaration contains information to which you are entitled when Norad collects your personal information, supplied either by yourself or by others, pursuant to Articles 13 and 14 of the General Data Protection Regulation (GDPR). The declaration provides general information about Norad’s processing of personal data, cf. Article 15 of the GDPR and Section 16 of the Personal Data Act (exceptions). The declaration is updated on a regular basis.

 

Data protection officer

Norad’s data protection officer can be contacted by data subjects with regard to all questions pertaining to the processing of their personal data and their exercise of the rights enshrined in the GDPR/Personal Data Act. Inquiries should be sent to postmottak@norad.no.

 

The rights of data subjects

You have the right to request access to, rectification or erasure of your personal data. Moreover, you have the right to demand restriction of processing, submit an objection to the processing and demand the right to data portability. You may at any time withdraw a consent to processing of personal data by us that you have previously given.

 

You can read more about the content of these rights on the Data Protection Authority’s website:  www.datatilsynet.no.  

To exercise your rights you should contact postmottak@norad.no.  We will respond to your inquiry as soon as possible, and no later than within 30 days.

 

We hope that you will inform us if you believe that we are failing to comply with the provisions in the Data Protection Act. If so, please contact our data protection officer. You may also lodge a complaint with the Data Protection Authority about processing that violates applicable data protection rules.

 

Contact information

Data controller: Norad – Norwegian Agency for Development Cooperation

Email: postmottak@norad.no

Telephone: +47 23 98 00 00  

Mail address: PO Box 1303 Vika, NO-0112 Oslo


1.     Processing of personal data on norad.no, noradbloggen.no and bistandsaktuelt.no

The web editor has day-to-day responsibility for Norad’s processing of personal data on norad.no and noradbloggen.no, unless otherwise specified below. The web editor of the Bistandsaktuelt monthly newspaper is responsible for bistandsaktuelt.no.

On our websites you can sign up for open events, subscribe to newsletters, order publications and the Bistandsaktuelt newspaper, and post comments about blog articles.

Provision of personal data in connection with services, such as subscription to newsletters, is voluntary for visitors to Norad’s web pages. Processing of these data is contingent upon consent from each person concerned, unless otherwise specified.

Knowit is the provider of development, operations and maintenance of our websites. Norad has signed a data processor contract with Knowit. This contract regulates the kinds of information that the supplier may access and how it shall be processed. The data processor contract also encompasses subcontractors that Knowit uses for purposes of providing services to Norad.

Knowit is the provider of development, operations and maintenance of our websites. Norad is currently in the process of signing a data processor contract with Knowit. This contract will regulate the kinds of information that the supplier may access and how it shall be processed. The data processor contract will also encompass subcontractors that Knowit uses for provision of services to Norad. 

Information which is collected in connection with the operation of a website is stored on separate servers operated by the supplier. Norad and Knowit have access to the data collected. For newsletters distributed via norad.no and bistandsaktuelt.no, the subcontractor Apsis also has access to the information collected.

1.1.  Registration for events

Open events in Norad are announced on norad.no. When you sign up for an event under the auspices of Norad, you provide your name, place of work and email address. For major events we also request that you provide your mobile phone number, whereas provision of information on diets and allergies is voluntary.

We ask for this information in order to manage the registration and participation, and for security reasons. In connection with a seminar we may send you a) information before and after the seminar and b) ask you to participate in an evaluation of the same. See the section ‘Visitors to Norad’ for more information.

Norad erases the information that you provide shortly after the event has been held. Every time that you sign up for a new event you will need to re-enter the information.

If you wish to receive emails about upcoming events in Norad you may choose this option when you register. In this case we transfer your name and email address to a separate list of people who want information on upcoming events in Norad. You may unsubscribe to this list at any time by sending an email to paamelding@norad.no.

1.2.  Ordering publications

On norad.no you may order Norad publications. To be able to send you the publication we ask you to provide personal information. All those who wish to order a publication must provide their name, postal address and email. Stating your organisation, telephone number and any potential comments is voluntary. The order information is processed by Norad, which takes care of the dispatch.

Personal information collected in connection with orders for publications is not used for any purposes other than filling the order. Once the order has been dispatched, all information is deleted with the exception of the number of publications ordered, which is used for preparing statistics.

The legal basis for this procedure is Article 6, no. 1 b) of the GDPR: processing is necessary for the performance of a contract to which the data subject is party.

1.3.  Newsletters

Norad issues a number of newsletters that are distributed via email, which are issued by the Bistandsaktuelt newspaper, the Oil for Development programme and the Evaluation Department.

Apsis, a subcontractor of Knowit, has produced the email marketing solution that Norad uses. The information that you provide to subscribe to one or more newsletters is stored in separate lists in an independent database, is not shared with others and is deleted when you unsubscribe.

-       Newsletters from the Bistandsaktuelt newspaper are sent out approximately 2–3 times per week by email. To subscribe to the newsletter you need to provide an email address.

-       Newsletters from Norad’s Evaluation Department are sent out approximately 1–3 times per month by email. To subscribe to the newsletter you need to provide an email address. You may also choose whether or not you want information on invitations to events and calls for tender with your newsletter.  In order to receive this information you need to subscribe to the newsletter.  

-       Newsletters from the Oil for Development programme are sent out 1–2 times every quarter by email. To subscribe to the newsletter you need to provide an email address, your name, organisation and country.

The legal basis for processing of personal data relating to the newsletters is Article 6, no. 1 a) of the GDPR, i.e. consent.

1.4.  Sharing of posts from Norad’s websites

When you share a post from norad.no, noradbloggen.no or bistandsaktuelt.no, information is immediately posted on the web community you have chosen. The further management of the data is regulated by your contract with the web community. We do not store any information about your sharing of posts.

1.5.  Comments on noradbloggen.no and bistandsaktuelt.no

All posts on bistandsaktuelt.no and noradbloggen.no must be signed with your full name. Anonymous posts are removed. Norad uses Disqus for the comments field. The processing of your data by Disqus is regulated by your contract with the web community. As a user, you are responsible for deleting user data provided via the comments field, should you so wish.

1.6.  Search

 

1.7.  Web statistics

Norad collects information on visitors to norad.no, noradbloggen and bistandsaktuelt.no. The purpose is to prepare statistics that we use to improve and refine the information on our websites. The statistics provide answers to questions such as the number of visitors to different pages, how long they spend there, the websites from which users come and the web browsers they are using.

 

1.8.  Cookies

 

1.8.1.    norad.no and bistandsaktuelt.no

Like many other websites, norad.no and bistandsaktuelt.no use cookies. These are small information files that are left on your computer to ensure that our services function in the best possible way for you as a user.

This does not entail any security risk to you, but you may withhold your consent to storage of cookies at any time in your web browser.

The following cookies are used on norad.no:

•ASP.NET_SessionId is used to identify that the movements the user is making stem from a specific unit. This cookie does not contain any personal information and is deleted when you close your web browser.

•ASP.NET_SessionId is used by the publication tool on which the website is based. These cookies are required for the website to function.

•ARRAffinity is used for load balancing. It ensures that the user’s session is sent to the correct server.

•_ga is a cookie that Google Analytics uses to count the number of visitors to norad.no and analyse how users navigate on the website. This cookie contains no personal information, but has a text string that enables the system to recognise a web browser from one page to another and from one visit to another.

We use Google Analytics to improve our web pages for you as a user. If you do not want your visit to be registered you can install the Google Analytics opt-out add-on.

1.8.2.    noradbloggen.no

This blog uses cookies primarily for traffic measurement and content optimisation.

1.8.3.    Management and deletion of cookies

You can read more about how to manage cookies in your web browser on nettvett.no. Please note that this may cause our web pages to function suboptimally.

2.     The Bistandsaktuelt newspaper

If you wish to subscribe to the paper issue of the Bistandsaktuelt newspaper (free of charge), your name, postal address and postal code are registered in the subscription registry Endurico to enable us to send it to you. You can change the registered information or unsubscribe at bistandsaktuelt.no. Your information is deleted from the registry when you unsubscribe.

Your name and address are transferred to the supplier Helt Hjem, which distributes the newspaper. They use the last updated information.

The legal basis for processing of personal data relating to subscriptions is Article 6, no. 1 a) of the GDPR, i.e. consent.

 3.     Contact with Norad

 3.1.  Messages to Norad staff members

Norad staff members can be contacted using the contact form for each employee on norad.no. To send the message you will need to state your name, email address, topic and a message text. The message is sent by email to the person to whom you have addressed it. The message is not stored on norad.no, but is handled as an incoming email. For more information see the section ‘Email and telephone’.

3.2.  Visitors to Norad

All visitors to Norad must register at the reception and state their first name, family name, mobile phone number and place of work.

Visitors to major events are pre-registered on norad.no to better facilitate the checking in of guests. The person administratively responsible for the event produces a complete overview and sends it to the reception. When the event is over, the list is stored for statistical purposes for the current calendar year. The reception deletes the list once the event is over. See the section ‘Registration for events’.

The legal basis for this procedure is Article 6 no.1 f) of the GDPR, which permits us to process information necessary for the purposes of a legitimate interest that outweighs concerns for the privacy of individuals. This legitimate interest is to ensure access to Norad’s premises.

3.3.  Email and telephone

Norad uses email and telephone in its daily operations to fulfil its remit as a directorate. This includes communication with internal as well as external contacts. Relevant information derived from telephone calls and email exchange in the course of casework is archived. In such cases, this information is processed as described in the section ‘Casework and archives’.

Each head of department is responsible for ensuring that all actual casework complies with the regulations and Norad’s routines. Each employee is responsible for deleting messages that are no longer relevant. When an employee resigns, his or her email account is deleted.

Please note that regular emails are unencrypted. We therefore recommend that you do not send confidential, sensitive or otherwise restricted information by email.

3.4.  Casework and archives

Depending on what the matter concerns, various types of personal data are registered in the archive and casework system. Names and email addresses are stored in the contact registry. Information such as names, addresses, telephone numbers, email addresses (basic data) and other relevant information derived from applications for grants and other inquiries associated with such applications, as well as correspondence relating to follow-up of aid projects, board deliberations and similar, are archived in the relevant case files.

 

Norad uses the Public 360 archiving and casework system, with electronic archiving and recording of documents. Registration, storage and filing comply with legislation on archives. Public 360 is an archiving and casework system supplied by the Tieto company and complies with the Norwegian standard for document management (NOARK).

 

The head of the Section for Documentation and Administrative Operations (DDS) has day-to-day responsibility for the system and the manual archive, and for ensuring that procedures for their use have been prepared. Special precautions and procedures have been established for information that requires extra protection. Each head of department ensures that actual casework is in compliance with the procedures.

 

Information required for processing of appeals will be supplied to the Ministry of Foreign Affairs, which is Norad’s appeals body.

The legal basis for this procedure is Article 6 nos. 1 b), c) and e) of the GDPR:  processing is necessary in order to take steps at the request of the data subject, for compliance with a legal obligation, cf. Sections 6 and 7 of the Regulations concerning the Freedom of Information Act, and/or the exercise of official authority vested in Norad.

3.5.  eInnsyn (public document journal)

Norad registers all incoming and outgoing case documents on a systematic and ongoing basis. The journal contains information on the identity of the sender and recipient, and the heading of the document. Names of persons cannot be searched in eInnsyn in records that are more than one year old.

 

Please note that all requests for document access via eInnsyn are stored and logged. All requests for access via eInnsyn are registered and signed out in a separate form.

 

The legal basis for this procedure is Article 6 no. 1 c) of the GDPR: processing is necessary for compliance with a legal obligation, cf. Sections 6 and 7 of the Regulations concerning the Freedom of Information Act.

 3.6.  Surveys/mapping studies

Norad uses the Questback tool for surveys. When undertaking surveys, we always provide information on their purpose and whether or not they are anonymous. We will not share the information with others, nor use the information for purposes other than those stated.

Anonymous surveys: If the survey is anonymous, neither Norad nor Questback Essentials will collect any information that can be linked to you.

Identifiable surveys: If the survey is not anonymous, Norad may identify those who have responded. We may also use Questback Essentials to distribute the survey.

The legal basis for this procedure is Article 6 no. 1 a) of the GDPR: your consent to our processing of your personal data.

 4.     Staff and job applicants

 

4.1.   Norad staff

To comply with its responsibilities as an employer, Norad processes personal data on its employees.  Information necessary to pay salaries is registered, including basic data, salary level, hours worked, tax percentage, municipality of residence for tax purposes and trade union membership. Other information registered includes the employee’s job description and facilitation of his or her job situation.

 

This information is supplied only in relation to payment of salaries and other mandatory reporting. Deletion procedures for personal information comply with the Accounting Act and the Archives Act. Information on name, position and work area is considered public information and may be published on our web pages.

 

The head of the HR section has day-to-day responsibility, including for ensuring that only those staff members who need to do so in the performance of their duties have access to and process personal data on employees.

 

Personal data are also registered in connection with key management for entry and exit from the premises and information on access management (log-on) to IT systems.

 

In its archive system, Norad maintains a personnel file for each of our current and former employees. Since 2003, electronic personnel files have also been used. Personnel files must be preserved, meaning that a job application will not be deleted or shredded. Personnel files are cleared after the termination of an employment relationship. Personnel files must be submitted to the National Archives of Norway. Recommendations with an expanded list of applicants and the text of the vacancy announcement are stored in a separate, physical appointments archive. Its contents are not shredded. The access to personnel files is restricted to those who need such access in the performance of their duties.

 

The legal basis for this procedure is Article 6 no. 1 b) of the GDPR: processing is necessary for performance of a contract to which the data subject is party.

 

4.2.  Job applicants

If you apply for a job in Norad, we need to process information about you in order to assess your application. The legal basis for this is Article 6 no. 1 b) of the GDPR: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. If your application contains special categories of personal data, the legal basis is Article 9, nos. 2 b) and h).

 

Job applications go through the WebCruiter portal. In the written confirmation of receipt of the application, the applicants are informed about Norad’s data protection procedures.

 1.5.             Other relevant statutes

In addition to the Personal Data Act, the following statutes apply to Norad’s processing of personal data:

-      The Freedom of Information Act with appurtenant regulations defines the rules for public access to and exemption from public access to a document. Norad practises expanded public access, meaning that as far as possible, documents should be accessible by the public.

-      The Public Administration Act contains rules that determine how cases will be processed by Norad. As party to a case, e.g. as an applicant for a grant scheme, you enjoy special rights, including with regard to access to the case documents.

-      The Archives Act stipulates rules regarding the management and storage of case documents in filing cabinets, and about delivery to an archives institution.

 

Definitions

Data subject: A person about whom Norad processes personal data.

Processing of personal data: All use of personal data, such as collection, registration, collation, storage and delivery, or a combination of such uses.

Data controller: The entity that determines the purposes and means of processing of personal data. Normally, this will be a legal entity.

Data processor: The entity that processes personal data on behalf of the data controller. Normally, this will be a legal entity.

The General Data Protection Regulation: [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR), cf. Section 1 of the Personal Data Act. The GDPR has legal force in Norway, cf. Section 1 of the Personal Data Act.

Consent: A freely given, specific and informed declaration by the data subject by which he or she signifies agreement to the processing of personal data relating to him or her.