Privacy statement

This notice contains information you are entitled to have when Norec collects personal data about you, either from you yourself or others. The notice provides general information on how Norec processes personal data in accordance with the Norwegian Personal Data Act and the EU General Data Protection Regulation.

The notice is updated as necessary. Norec is the data controller.

Data protection officer

You can contact Norec’s data protection officer, Linn-Helen Evensen, with any questions concerning processing of personal data. Enquiries can be sent to linn-helen.evensen@norec.no

Your rights

You have the right of access, rectification and erasure concerning the personal data we process on you. In addition, you have the right to require restriction of processing, to object to processing and to require data portability.

You can read more about these rights on the Norwegian Data Protection Authority’s website (in Norwegian) or in the Norwegian Personal Data Act.

To exercise your rights, send an email to norec@norec.no. You will receive a reply to your enquiry to us as soon as possible, and within 30 days. Contact our data protection officer if you believe Norec is not complying with the rules set out in the Personal Data Act. You also have the right to complain to the Norwegian Data Protection Authority about processing that contravenes the data protection legislation in force at any time.

How we receive, collect and process personal data

Norec uses Microsoft Dynamics to store personal data, send out newsletters and handle registration for events. Data saved in Microsoft Dynamics are only searchable by Norec employees. All Norec employees are subject to a duty of confidentiality.

Our website norec.no

On norec.no you can subscribe to newsletters and register for events.
Providing personal data in connection with our services is optional for visitors to Norec’s website.

The basis for processing is consent from the individual, unless otherwise specified. Consent is given when you register your data, and you can withdraw consent by unsubscribing from the service.

The IT company Nordlo is our data processor and provider of IT development, operation and maintenance services. Our website is maintained by Nucleus. Norec has entered into data processor agreements with both parties that regulate what information the service providers are to have access to and how it is to be processed. The data processor agreements also cover subcontractors that the service providers use in their provision of services to Norec.

Registering for events

Norec’s public events are announced on norec.no. When registering for an event organised by Norec, you need to provide your name, workplace and email address. For larger events, we also ask you to provide a mobile phone number, while adding information on allergies and food intolerances is optional.

We ask for this information in order to manage registrations and participation, and for safety and security reasons. When you have registered for an event, we might send you information ahead of and after the event.

The information you provide is stored in our databases so that you do not need to provide the same information again if you participate in further events. You may request erasure of this information by contacting Norec’s data protection officer.

When you participate in an event organised by Norec, you consent to receive newsletters and emails about future events at Norec. This involves transferring names and email addresses to a dedicated list of people who wish to receive newsletters and information about future events at Norec. You can unsubscribe from this list at any time by sending an email to norec@norec.no. Your consent is then considered to be withdrawn.

Newsletters

Norec publishes a number of external newsletters that are issued by different specialist departments and sent by email. In this context, we will only process your email address.

Invalid email addresses are automatically deleted over time.

The information you provide to subscribe to one or more of our newsletters is stored in separate lists in a dedicated database and is not shared with anyone other than the data processor.

The basis for processing personal data in connection with newsletters is Article 6 section 1(a) of the General Data Processing Regulation, i.e. consent.

Web statistics

Norec collects anonymised statistics on visitors to norec.no. The purpose of this is to compile statistics that we use to improve and develop the provision of information on our website. For example, we use statistics to measure how many people visit different pages, how long they stay on the page, which websites the users arrive from and which web browsers they use.

The basis for processing this is Article 6 section 1(f) of the General Data Processing Regulation, which permits us to process data that is necessary for the purposes of a legitimate interest that overrides the protection of personal data. The legitimate interest is to improve our services.

Use of cookies

Cookies are small text files that are placed on your computer when you visit a website, such as norec.no. They store information on how you have used the website and make it faster to load pages next time you visit.

The files are not harmful, and cannot contain viruses or programming codes. Most browsers are set to accept cookies automatically. If you do not want to accept cookies, you can either change the settings directly in your browser or use a tool such as Ghostery.  (However, this may result in a less optimal user experience on our website.)

We use the following cookies on norec.no:

Google Analytics

Google Analytics installs a cookie on your computer to provide us with statistics on how our website is used. We have turned on the IP anonymisation feature so that it is not possible to trace your unique IP address.

Contact with Norec

Email and phone

Norec uses email and phone as part of our day-to-day work to execute our tasks as a government agency. This applies to communication with both internal and external contacts. We archive relevant information that emerges from phone calls or email correspondence that form part of our case processing. This information is processed as described under “Case processing and archiving”.

Note that ordinary email is unencrypted. We therefore encourage you not to send via email information that is subject to a duty of confidentiality, comes under a special category (sensitive) or is otherwise private.

Case processing and archiving

Various types of personal data are registered in the case and record management system depending on the matter concerned. Name, address, phone number and email addresses are saved in the contact register. For Norwegian applicants who wish to use an electronic signature, the national identity number will also be stored.

Data such as name, address, phone number, email address and other relevant information from grant applications and other enquiries in connection with such applications, as well as correspondence in connection with follow-up of development assistance projects, board work and other fields, are archived in the respective case documents.

Norec uses the Public 360° case and record management system for electronic archiving and journalling of documents. Data are registered, saved and retained in accordance with public records legislation. Special measures and routines have been established for information that is to be shielded.

Public 360° is a case and record management system supplied by Tietoevry and complies with the Norwegian Model Requirements for Electronic Records Management Systems (EDRMS).

Data that are necessary for processing complaints will be disclosed to the Norwegian Ministry of Foreign Affairs, which is the complaints body for Norec.

The basis for processing this is Article 6 sections 1(b), (c) and (e) of the General Data Processing Regulation: necessary in order to take steps at the request of the data subject prior to entering into a contract or for compliance with a legal obligation, cf. sections 6 and 7 of the Norwegian Freedom of Information Act.

Whistleblowing

Norec has established a whistleblowing service to receive notifications of suspected breaches of procedures, harassment and other censurable conditions related to Norec’s activities. The whistleblowing team has a dedicated email address that only the team uses. Contact information for the various whistleblowing channels is available here.

Whistleblowing notifications to Norec may basically contain all types of personal data. Whistleblowing cases are registered in a shielded area in Public 360° for which only employees connected to Norec’s whistleblowing team and an extremely limited number of archive/ICT employees have read access. Personal data are archived in line with public records legislation but are deleted from other storage locations when a need-to-know basis no longer applies.

elnnsyn (public journal)

Norec carries out systematic and consecutive registration of all incoming and outgoing case documents in a journal. This journal contains data on the date, sender, recipient and title of the case document. The daily journal is transferred to eInnsyn on a weekly basis. Entries that are more than a year old cannot be searched by name of a person in eInnsyn.

Note that requests for access to information via eInnsyn are logged and retained.

The basis for processing this is Article 6 section 1(c) of the General Data Processing Regulation: necessary for compliance with a legal obligation, cf. sections 6 and 7 of the Freedom of Information Act.

Surveys

Norec uses Microsoft Dynamics 365 Customer Voice for surveys. We will always provide information on the purpose of the survey and whether or not it is anonymous. We will not share the data with third parties other than Microsoft, or use the data for any purpose other than as stated.

Anonymous surveys: If the survey is anonymous, neither Norec nor Microsoft will collect any information that can be linked to you.

Identifiable surveys: If the survey is not anonymous, Norec can identify who has responded to it. We may also use Microsoft to send out the survey. The basis for processing this is Article 6 section 1(a) of the General Data Processing Regulation: you have given consent to the processing of your personal data.

Job applicants and employment

If you apply for a job at Norec, we need to process data about you in order to assess your application.

The basis for processing this is Article 6 section 1(b) of the General Data Processing Regulation: the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.  If your application contains special categories of personal data, our basis for processing is Article 9 section 2(b) and (h) of the General Data Protection Regulation.

Applications are submitted via the JobbNorge jobseeker portal. The written confirmation that the application has been received contains information for the applicant on Norec’s data protection routines.

The basis for processing this is Article 6 section 1(b) of the General Data Processing Regulation: the processing is necessary for the performance of a contract to which the data subject is party.

Data processor agreements

We have data processor agreements with all the providers that process personal data in accordance with an agreement with us.

Other relevant legislation

In addition to the Personal Data Act, the following legislation is also important for Norec’s processing of personal data:

The Freedom of Information Act and associated regulations contain rules on when a document is publicly accessible and when a document can be exempt from public disclosure. Norec practises public access to official papers, which means that, wherever possible, we strive to make documents public.

The Public Administration Act contains case-processing rules governing how cases are to be processed in Norec. As a party to a procedure, e.g. as an applicant for a grant scheme, you have special rights, including right of access to the case documents.

The Public Records Act and associated regulations provide rules on how archive clerks are to process and retain case documents, and on delivery to archives.

Definitions

The data subject: Person whose personal data are processed by Norec.

Processing of personal data: All use of personal data, such as collection, registration, collation, storage and disclosure, or a combination of such types of use.

Data controller: The natural or legal person who determines the purpose of the processing of personal data and what aids are to be used. This is usually a business.

Data processor: The natural or legal person who processes personal data on behalf of the data controller. This is usually a business.

The General Data Protection Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR), cf. Article 1 of the Norwegian Personal Data Act. The EU General Data Protection Regulation has been transposed in Norwegian law, cf. Article 1 of the Personal Data Act.

Consent: A voluntary, explicit and informed declaration from the data subject stating that he/she accepts the processing of data about him/herself.

Contact information – data controller

Data controller: Norec – the Norwegian Agency for Exchange Cooperation

The data protection officer is Linn-Helen Evensen

Email: norec@norec.no
Phone: +47 57 99 00 00
Postal address: Fjellvegen 9, 6800 Førde, Norway