We use cookies to imporve your experience. By using our site, you consent to our cookie policy Learn more
arrow arrow_up breadcrumb-chevron-right breadcrumb-home dropdown-arrow-down loader GALogoWUNEP GALogo2018 GALogo2019 menu read-more-plus rrss-email rrss-facebook rrss-flickr rrss-instagram rrss-linkedin rrss-twitter rrss-vimeo rrss-youtube rrss_google_plus rrss_skype rrss_web pdf search share Completed In Process Ideas In Develpment Toogle Toogle Thumbnail View List View play close filter-collapse filter edit media_photo_library media_video_library graphics pictures videos collections next
General

GRID-Arendal reserves its exclusive right in its sole discretion to alter, limit or discontinue the Site or any Materials in any respect. GRID-Arendal shall have no obligation to take the needs of any User into consideration in connection therewith. GRID-Arendal reserves the right to deny in its sole discretion any user access to this Site or any portion thereof without notice.

Privacy Policy

1. About Privacy

This policy is intended to help us comply with the Personal Data Act of 2018. The policy shall also help to prove that our processing of personal data is in accordance with the law.


2. Responsibility for the processing of personal data with us

The company is responsible for personal data we process, for example about our own employees, contact persons of customers and suppliers, private customers, and other business contacts. The company is responsible for complying with the obligations that follow from the rules on personal data.


The day-to-day processing is the responsibility of the Managing Director


3. Knowledge of the rules on personal data

We shall ensure that the relevant employees are familiar with the rules on personal data, including this policy on privacy. The level of evasion shall be adapted to the individual employee's processing of personal data. We will assess whether some groups of employees need special knowledge, such as personnel functions and IT managers. Our management must always be familiar with the regulations.


4. Mapping of the processing of personal data

We will map all processing of personal data. We will do this in a form where we specify, among other things, categories of data subjects, purposes of processing, how we process the data and what grounds it has for the processing. The forms shall help us to comply with the rules on the processing of personal data.


5. Basic requirements for the processing of personal data

The Act sets out six grounds that apply to all processing of all personal data. We shall ensure that personal data shall:

1) processed in a lawful, fair, and transparent manner with respect to the data subject ("legality, fairness and transparency")

2) collected for specific, expressly stated, and justified purposes and not further processed in a manner incompatible with these purposes ("Purpose Limitation")."

3) be adequate, relevant, and limited to what is necessary for the purposes for which they are processed ("Data Minimization")."

4) be correct and, if necessary, up to date; reasonable measures must be taken to ensure that personal data that is incorrect with respect to the purposes for which it is processed is deleted or corrected without delay ("correctness")."

5) stored so that it is not possible to identify the data subjects for longer periods than is necessary for the purposes for which the personal data is processed ("storage limitation")

6) be processed in a manner that ensures adequate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures ("integrity and confidentiality")


If personal data is used for purposes other than those for which it is collected, see section 2 above, we shall always consider whether the new or changed purpose is compatible with the original. We shall then consider the factors set out in Article 6 no. 4 of the General Data Protection Regulation.


6. Basis for processing personal data

6.1. Basis for processing personal data

We shall have at least one of the following grounds for all processing of personal data:

1) the data subject has given consent to the processing of their personal data for one or more specific purposes

2) the processing is necessary to fulfil an agreement to which the data subject is a party, or to act at the data subject's request prior to entering into an agreement

3) processing is necessary to fulfil a legal obligation incurred by the data controller

4) the processing is necessary for purposes related to the legitimate interests pursued by the data controller or a third party, unless the data subject's interests or fundamental rights and freedoms take precedence over and require the protection of personal data, especially if the data subject is a child (balancing of interests)


It shall be stated in the survey form what basis we have for processing information.

If the basis for processing is the consent of the data subject (see no. 1), we shall familiarize ourselves with the special rules that apply to such consents, including the requirement for documentation.


If the basis for processing is our legitimate interest (balancing of interests) (see no. 4), we shall concretely and in writing document the assessment, see more detail below.


6.2. Employees

Processing data is essentially a legal obligation. Some of the treatment is also based on a balancing of interests. We need to document that we have fulfilled obligations under law and agreement after they have been fulfilled. We also need human resources documentation to be used for future human resources. These are legitimate interests. It is not possible to access the information in any other way than to store the information. Treatment is therefore necessary.


Our employees have an ongoing contractual relationship with us. The personal data we process is linked to this contractual relationship. It is largely a matter of information that employees have given us. The information relates to matters that an employer treats.


We believe that the legitimate interest takes precedence over the employee's interests.


6.3. Former employees

The processing of most of the personal data is based on a balancing of interests. We may need to document personnel matters even after the employment relationship has ended, such as a dispute with the former employee. This may apply, for example, to documentation that we as an employer have fulfilled our obligations under legislation or the employment agreement. This is a legitimate interest. It is not possible to access the information in any other way. Treatment is therefore necessary.


The process is to store the information for up to twelve months. We can store information that the employee has been employed, duration of employment and work tasks can be stored for longer. The information will not be disclosed to others unless requested by the former employee, for example in connection with the assessment of employment with a new employer.


We believe that the legitimate interest takes precedence over the interests of the former employee.


6.4. Job seekers

The processing of personal data is based on a balancing of interests. We need to use information to assess applications that job seekers send us. This is a legitimate interest. It is not possible to consider an application without processing personal data. Treatment is therefore necessary.


We ask those who want to apply for a job with us to send us the least information about their name, education, work experience, reference persons, etc. (CV). Job seekers will often provide additional personal data they consider relevant to the assessment of the application, for example contact information, family circumstances and interests, as well. In interviews, we ask questions to determine whether the job seeker fits the position. In some cases, we may use tests or question forms for this purpose. If it becomes relevant to hire the job seeker, we may ask for further information as well as for documentation for information we have already received. It is voluntary to provide us with information.


We do not use the information for anything other than to assess the application. We do not provide the information to anyone else. We may retain information from job seekers for six months in case job seekers believe that their rights have not been fulfilled.


We believe that legitimate interest takes precedence over the job seeker's interests.


6.5. Contact persons at vendors

The processing of personal data is based on a balancing of interests. We need to keep in touch with our suppliers to follow up on offers, orders and deliveries, among other things. This is a legitimate interest. That contact becomes effective just by contacting individuals directly. Treatment is therefore necessary.


The processing takes place in relation to the contact person's employer, who wants to be a supplier with us. In addition to names, we process contact information, such as telephone number, email address and employer, all of which are linked primarily to the contact person's working conditions and not to the contact person's private life. The scope of the information is very limited. The processing of the data is related to the supplier's business activities and not to the contact person's private life. Our processing of personal data is clearly foreseeable for the contact person.


We believe that the legitimate interest takes precedence over the interests of the contact person.


6.6. Contact persons at customers

The processing of personal data is based on a balancing of interests. We need to keep in touch with our corporate customers to follow up on offers, orders and deliveries. This is a legitimate interest. That contact becomes effective just by contacting individuals directly. Treatment is therefore necessary.


The processing takes place in relation to the contact person's employer, who is the customer with us. In addition to names, we process general information, such as telephone number, email address and employer, all of which are linked primarily to the contact person's working relationship. The scope of the information is therefore limited. The processing of the data is related to the supplier's business activities and not to the contact person's private life. When consent is required under the Marketing Act, the contact person will also have given consent before sending marketing emails. Our processing of personal data is clearly foreseeable for the contact person.


We believe that the legitimate interest takes precedence over the interests of the contact person.


6.7. Other contact persons

Processing personal data is based on balancing interests. We need to have contact with public authorities, such as NAV and supervisory authorities in connection with public law matters where we may have obligations and rights. This is a legitimate interest. In some cases, that communication may be effective only if we can contact individuals directly. Treatment is therefore necessary.


We store your name and contact details and we use the information to contact the person's employer. The information is related to the contact person's employer's activities and not to the contact person's private life. Our processing of personal data is clearly foreseeable for the contact person.


We believe that the legitimate interest takes precedence over the interests of the contact person.


7. Basis for processing sensitive personal data

Processing of sensitive personal data requires a basis for processing in addition to those mentioned in section 6.

Sensitive personal data are information about racial or ethnic origin, political opinion, religion, conviction, or trade union membership, as well as genetic and biometric information for the purpose of unambiguously identifying a natural person, health information or information about a natural person's sexual relationship or sexual orientation.


If we are to process such information, we shall ensure that we have a basis for processing. For our employees, information about health and union membership will be particularly relevant. Health includes, for example, illness and injuries and absence justified in this. A particularly relevant basis for processing will be that treatment is necessary in the capacity of the employer, for example when following up and reporting to public authorities or in the event of facilitation of the employment relationship.

The processing of information about criminal offences and offences etc. is subject to special rules that we shall familiarize ourselves with if we are to process such information.


8. Information for the data subjects (personvernerklæring)

We shall provide statutory information to the data subjects. We will provide such information in a privacy statement. All data subjects shall have access to the information concerning them. We provide information to employees in a personnel folder.

The information shall include, among other things, the name of the company and contact information, the purpose of the processing, the categories of personal data, recipients of personal data (if it is disclosed), information about any disclosure of personal data to other countries, how long the personal data will be stored, the data subjects' right to demand access, rectify or demand the removal of the personal data, how the business accessed the personal data and the opportunity to complain business to the Norwegian Data Protection Authority.


9. Data subjects' rights

We will respond to inquiries from data subjects without undue delay. If we receive such inquiries, they should be sent to Managing Director


We will ensure that registered people have their rights with us.


10. Easing of personal data

We will delete personal data without undue delay when it is no longer "necessary" for the purpose for which it was collected or processed. At least once a year we're going to go through this.


Employees

As a rule, we retain all information for the duration of the employment period. Employees can request that information be deleted. This will be assessed specifically. The legislation may require a longer retention period.

Former employees and job seekers


See above about the basis for processing for these categories. The legislation may require a longer retention period than stated therein.


Contact persons of vendors and customers

We will delete the information when we become aware that the contact person has left the supplier or customer or that the supplier or customer has appointed a new contact person. The same applies when the supplier or customer relationship has ceased.


We may still store the information for an extended period if we believe that documentation of the contact we have had with the supplier or customer may be required. This may apply, for example, to questions about rights or obligations in the contractual relationship with the supplier or customer. The legislation may also impose requirements for longer retention periods.


Other contact persons

We will delete the information when we become aware that the person is no longer relevant to our needs, including if the person leaves that company, the public agency, etc.


We may still store the information for an extended period if we believe that documentation of contact with the person or the person's employer may be required. This may apply, for example, to questions about rights or obligations in contractual, public law or other matters.


11. Data protection officer

We have assessed whether GDPR requires our company to have a data protection officer.


We have no or very few natural persons as customers. We do not conduct regular and systematic monitoring of a large scale of data subjects. For most categories of data subjects, we generally process ordinary personal data such as name, address, employer, email address, telephone number, etc. We process certain sensitive information about employees.


We have concluded that our company is not subject to the requirement to have a data protection officer.


12. General risk assessment

We shall risk-assess the processing of personal data. This assessment shall enable us to identify and define what security measures we are going to implement.


The assessments shall apply to the probability and severity (risk) of a person’s “rights and freedoms", such as physical injury, damage to things or wealth and medical damage. Examples of injuries include discrimination, identity theft, reputational damage, loss of social esteem, confidential information being known to unauthorized persons and unacceptable interference with privacy.


The mapping show that we:

  • •to a large extent only processes ordinary contact information, such as name, address, employer, email address, telephone number, etc.
  • processes information about employees who are common for managing personnel matters, including compliance with statutory obligations
  • have few or no private customers
  • do not process information about children
  • processes data that is part of ordinary business activities


We've never been the victim of a data breach. We are also not aware that outsiders have shown interest in the personal data we process. We therefore believe that it is unlikely that the information is subject to violations.


Based on the nature and extent of the information we process; we believe that the consequences of violations will not be serious.


When it comes to some of the information about employees, both the probability and seriousness of violations are somewhat greater. We therefore have our own procedures for processing such information, including restricting access to it.


We will risk-assess changes that may affect information security, such as when we purchase new IT services.


The results of risk assessments must be approved by the person who has the dayto-day treatment responsibility of one in the enterprise.


13. Security of information

Under the Act, we shall take appropriate technical and organisational measures to achieve a level of security corresponding to the risks associated with our processing of personal data. We will then consider the condition of the technique, the implementation costs and the nature, scope, and purpose of the treatment, as well as the context in which it is carried out.

Our risks are assessed overall in the section above.


Against this background, we have implemented these measures:

  • It is designated a person with us with special task to ensure security.
  • Unauthorized persons shall be prevented from accessing the personal data or equipment on which they are stored,
  • It shall be ensured that the enterprise's network is protectedfrom entry from external networks with a firewall that only passes through the necessary data traffic,
  • It shall be ensured that the enterprises' networks are protected from the use of unauthorized persons, for example when securing wireless networks.
  • Additional measures shall be implemented for particularly protective information such as sick leave, information about facilitation of the workplace, assessments of the employee, comments, and warnings.
  • Employees shall be trained in the use of the company's IT system.


14. Deviations, analysis of nonconformities and measures to correct them

We must find out whether the processing of personal data follows the rules of the Personal Data Act and the routines in this document. If that's not the case, we need to figure out how to increase compliance. We will document in writing both what discrepancies we have found and what we have done to correct them.


In the survey form, answers to question 15 may summarise deviations for each category of data subjects. The person filling out the form must notify the Managing Director of such nonconformities. The person who discovers nonconformity shall initiate immediate action if necessary to limit or prevent significant inconvenience or consequential damage. The person receiving the notification must first consider whether immediate action is necessary. The person concerned shall then ensure that measures are implemented to prevent nonconformities from happening again.


If it turns out that the routines are not aligned well enough with our company, we should consider changing the routines, see section 18.


15. Purchase of IT services – data trade agreements

Normally, we will act as data controller when the company purchases IT services from a service provider. We are then still responsible for ensuring that data protection legislation is complied with when purchasing IT services, such as HR solutions or customer databases/CRM.


Before purchasing IT services, we must therefore, among other things, assess whether the supplier satisfies the requirements for security required by the Personal Data Act (Article 32). Serio’s suppliers will often be able to document that they meet the requirements. We must also ensure that we enter into a data processing agreement that regulates how the data processor will handle the personal data it receives from and processes on our behalf. Suppliers will often have their own agreements that meet the regulatory requirements.


If the service provider is to transfer personal data to countries outside the EU/EEA, there must be a legal basis for this.


16. Breach of personal data security

In the event of a breach of personal data security (such as hacker attacks or loss of personal data), we shall immediately contact the Norwegian Data Protection Authority to find out what we should do.


"Breach of personal data security" means breaches that lead to accidental or unlawful destruction, loss, alteration, unlawful dissemination of or access to personal data that we process.


In the event of certain breaches of personal data security, we shall notify the Norwegian Data Protection Authority and occasionally also the data subject. Notification to the Norwegian Data Protection Authority shall take place immediately, and no later than 72 hours after we became aware of the breach. It is not necessary to notify the Norwegian Data Protection Authority if it is unlikely that the breach of personal data security will carry a risk to the rights of individuals. An example is where a security breach has resulted in unauthorized persons gaining access to personal data that is already publicly available.


We are obliged to notify the data subject if it is likely that the breach of personal data security will entail a high risk to the rights and freedoms of individuals. We believe that our processing of personal data can only lead to such risks in exceptional circumstances.


We shall document any breaches of personal data security. We do this by describing the actual circumstances surrounding the breach ("What happened?"). In addition, we will describe the effects of the breach and what measures have been taken to remedy the breach. This documentation shall enable the Norwegian Data Protection Authority to check that the enterprise has complied with the requirements of the Act.


17. Assessment of person protection consequences and preconsultation with the Norwegian Data Protection Authority

We will investigate the privacy implications when planning a processing of personal data that is likely to pose a high risk to people's rights, such as the right to privacy. In assessing whether such an investigation is necessary, we shall consider the nature, scope, coherence, and purpose of the treatment. It should also consider whether it uses new technology.


There are several types of cases where it is necessary to investigate privacy consequences: systematic and comprehensive assessment of personal circumstances when the data is used for automated decisions, the processing of sensitive personal data largely or systematic monitoring of public areas to a large extent.


In the cases above, we will familiarise ourselves with the special rules that apply, including that the Norwegian Data Protection Authority shall occasionally be involved in pre-discussions.


18. Review, update, and revision of the policy

We will update and revise this policy regularly. The background for this is, among other things, that the rules in law and regulations may change, our processing of personal data may be changed, or experience may indicate that we should change our routines. For the same reasons, we will also regularly review and update the forms with mapping of the processing of personal data.


The Managing Director is responsible for ensuring that the need for changes and revisions is identified and incorporated into the document and in the form. This should be done bi-annually. 


Privacy Policy - Last Updated 9. November 2023

Disclaimer

The use of this website constitutes an agreement with the following terms and conditions:

  • GRID-Arendal maintains this website (the “Site”) as a courtesy to those who may choose to access the Site (“Users”). The information presented herein is for informative purposes only.
  • GRID-Arendal grants permission to Users to visit the Site and to download and copy the information, documents and materials (collectively, “Materials”) from the Site for non-commercial use, without any right to resell or redistribute them or to compile or create derivative works therefrom, subject to the terms and conditions outlined below (under Attribution-NonCommercial-ShareAlike 4.0 International Licence), and also subject to more specific restrictions that may apply to particular Materials within this Site
  • Unless explicitly stated otherwise, the findings, interpretations and conclusions expressed in the Materials on this Site are those of the various GRID-Arendal staff members, consultants and partners who prepared the work and do not necessarily represent the views of GRID-Arendal.
  • No waiver by GRID-Arendal of any provision of these Terms and Conditions shall be binding except as outlined in writing and signed by its duly authorised representative.


Tracking and Cookie information

By accessing this site, certain information about the User, such as Internet protocol (IP) addresses, navigation through the Site, the software used and the time spent, along with other similar information, will be stored on GRID-Arendal servers. These will not specifically identify the User. The information will be used internally only for website traffic analysis. If the User provides unique identifying information, such as name, address and other information on forms stored on this Site, such information will be used only for statistical purposes and will not be published for general access.


We use cookies to improve your experience. By using our site, you consent to our cookie policy

A cookie is a small file, which is placed on your computer’s hard drive. The file is added and the cookie helps analyse web traffic or lets you know when you visit a particular page. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.


What information do we collect about you on our websites?

We collect information about your name and e-mail address when you register with us to receive our news stories. Name and email addresses are also collected when you request access to our maps, graphics, photos and video resources.


This policy applies to all GRID-Arendal websites, including, but not limited to:

  • grida.no
  • 100africanvoices.com
  • bluecarbonportal.com
  • bluecarbonportal.info
  • bluecarbonportal.net
  • bluecarbonportal.no
  • bluecarbonportal.org
  • bluehabitats.org
  • bluesolutions.info
  • coastalpermafrost.org
  • ecotip-arctic.eu
  • eo4sd-fragility.net
  • gefblueforests.com
  • gefblueforests.org
  • gefmarineplastics.org
  • globalpeatlands.org
  • kaspinfo.net
  • mamiwataproject.com
  • mamiwataproject.org
  • marinelitter.no
  • marinelitterhub.com
  • nomadicherders.org
  • nordicbluecarbon.no
  • playing4theplanet.org
  • resiliensea.org
  • sanitation.no
  • seabee.no
  • unseagrass.org
  • worldwater.earth
  • deepdive.grida.no


Links to Other Websites and Services

We are not responsible for the practices employed by websites or services linked to or from the Service, including the information or content contained therein. Please remember that when you use a link to go from the Service to another website, our Privacy Policy does not apply to third-party websites or services. Your browsing and interaction on any third-party website or service, including those that have a link or advertisement on our website, are subject to that third party’s own rules and policies. In addition, you agree that we are not responsible and we do not control over any third parties that you authorise to access your User Content. If you are using a third-party website or service (like Facebook, Google groups, or an IRC chatroom) and you allow such a third-party access to your User Content, you do so at your own risk. This Privacy Policy does not apply to information we collect by other means (including offline) or from other sources other than through the Service. You should exercise caution and look at the privacy statement applicable to the website in question.


Website Disclaimers

  • The contents of this Site do not necessarily reflect the views or policies of GRID- Arendal.
  • The designations employed and the presentations of material in this Site do not imply the expression of any opinion whatsoever on the part of GRID-Arendal or contributory organizations concerning the legal status of any country, territory, city area or its authorities, or concerning the delimitation of its frontiers or boundaries or the designation of its name, frontiers or boundaries.
  • The mention of a commercial entity or product in this website does not imply any endorsement by GRID-Arendal.
  • Materials provided on this Site are provided "as is" and GRID-Arendal specifically does not make any warranties or representations as to the accuracy or completeness of any such Materials.
  • Under no circumstances shall GRID-Arendal be liable for any loss, damage, liability or expense incurred or suffered that is claimed to have resulted from the use of this Site, including, without limitation, any fault, error, omission, interruption or delay with respect thereto.
  • The use of this Site is at the User's sole risk. Under no circumstances, including, but not limited to negligence, shall GRID-Arendal be liable for any direct, indirect, incidental, special or consequential damages, even if GRID-Arendal has been advised of the possibility of such damages.
  • As a condition of use of this Site, the User agrees to indemnify GRID- from and against any and all actions, claims, losses, damages, liabilities and expenses (including reasonable attorneys' fees) arising out of the User's use of this Site, including, without limitation, any claims alleging facts that if true would constitute a breach by the User of these Terms and Conditions. If the User is dissatisfied with any Material on this Site or with any of its Terms and Conditions of Use, the User's sole and exclusive remedy is to discontinue using the Site.
  • This Site may contain links and references to third-party websites. The linked sites are not under the control of GRID-Arendal, and GRID-Arendal is not responsible for the content of any linked site or any link contained in a linked site. GRID-Arendal provides these links only as a convenience, and the inclusion of a link or reference does not imply the endorsement of the linked site by GRID-Arendal.
  • If this Site contains bulletin boards, chat rooms, access to mailing lists or other message or communication facilities (collectively, “Forums”), the User agrees to use the Forums only to send and receive messages and materials that are proper and related to the particular Forum. By way of example and not as a limitation, the User agrees that when using a Forum, he or she shall not do any of the following:
  • (a) Defame, abuse, harass, stalk, threaten or otherwise violate the legal rights (such as rights of privacy and publicity) of others;
  • (b) Publish, post, distribute or disseminate any defamatory, infringing, obscene, indecent or unlawful material or information;
  • (c) Upload or attach files that contain software or other material protected by intellectual property laws (or by rights of privacy and publicity) unless the User owns or controls the rights thereto or has received all consents therefore as may be required by law;
  • (d) Upload or attach files that contain viruses, corrupted files or any other similar software or programs that may damage the operation of another’s computer;
  • (e) Delete any author attributions, legal notices or proprietary designations or labels in any file that is uploaded;
  • (f) Falsify the origin or source of software or other material contained in a file that is uploaded;
  • (g) Advertise or offer to sell any goods or services, or conduct or forward surveys, contests or chain letters, or download any file posted by another user of a Forum that the User knows, or reasonably should know, cannot be legally distributed in such manner.


The User acknowledges that all Forums and discussion groups are public and not private communications. Further, the User acknowledges that chats, postings, conferences, e-mails and other communications by other Users are not endorsed by GRID-Arendal, and that such communications shall not be considered to have been reviewed, screened or approved by GRID-Arendal.


GRID-Arendal reserves the right to remove, for any reason and without notice, any content of the Forums received from Users, including, without limitation, e-mail and bulletin board postings.


Disclaimer - Last Updated 9. November 2023