Privacy Policy

Applicable as of March 26th, 2019.

1 Introduction

1.1 Purpose

The purpose of Greater Africa’s privacy policy, is to care for peoples private life and handle information about individuals respectfully, and in accordance with their wishes and interests. 

 

The Privacy Statement provides an overview of the rights of our registered subjects´ and users’ data. It contains information about what personal data Greater Africa collects, processes and stores, and what data is processed about our users, what the data is used for, which data processors and third parties have access to the information, and how we protect the registered subjects’ privacy.

1.2 Scope

With this declaration we state that manage all work with all registered persons and users data with our highest level of attention of care. We treat the information in accordance with the current standards and the privacy legislation in Norway, the EU General Data Protection Regulation (GDPR), and for our current operations in Uganda the Data Protection and Privacy Act of February 2nd, 2019.

1.3 Definitions

By registered personsregistrantor user, we are referring to the person whom the data concerns. This can be an employee, a member, a volunteer, a donor or in other way a contributor, partners, suppliers of services or goods, or the representatives or contact persons of these. Further it also includes recipients of any contributions from us, in which ever form this may be. In practice, this regards all individuals we receive, collect, organize and store data about.

 

Personal data is the information and its related assessment that can be connected to one identifiable person. This could be for example names, addresses, date of birth, and contact information.

 

Processingof personal data implies any use of the personal data, such as collecting, registering, storing, compiling, combining, organizing and extracting or a combination of these. The processing of personal data is protected by the regulations concerning personal data that is applicable at the given time, and is to be conducted according to the law.

 

data handler is responsible for making sure that all activities within our organizations related to personal data are in compliance with these regulations at all times. According to the legislation we are responsible for data processing regarding identifying the need and purpose of processing the personal data, and for how to make use of it. The organization is also responsible in cases where a third party is involved in handling the data, for example a system supplier, an accountant or an auditor. The organizations leadership are responsible for assuring that the data handlers understand and utilize the organizations policies and guidelines in these regards. See point 3.4 for more about this.

 

2. Right of access

The Right of access by the data subjectis regulated in GDPR Article 15.

2.1 Scope and practice of the right to access

The registered person has the right to know if data has been stored about him/her, and if that is the case, what information has been stored. Any person who wants this information can send an e-mail to hello@greateraricafoundation.com. In accordance with GDPR Article 12 our person in charge of data handling will make sure that the information is provided within 1 month of the request.

3. Right to erasure 

The Right to erasureis regulated in GDPR Article 17. 

3.1 Criteria of erasure

The new amendment of the legislation provides a more defined right of the registered person to demand that the personal data shall be deleted. This is the right to erasure, also referred to as the right to be forgotten. 

 

We have the obligation to erase data upon request from the registrant when the following criteria applies:

·     When the purpose for keeping the data is no longer relevant

·     When the registrant withdraws consent based on criteria described in point 6

·     When the processing of personal data can be objected on the grounds of 

Article 21 in GDPR

·     When the processing of the data has not been conducted in accordance with the legislation

·     When personal data has been collected from information society services in relation to children under 16 years. 

 

When a person requests personal data to be erased, we will send a conformation that any information that can identify the person has been deleted.

3.2 Grounds for keeping data of public interest etc.

As a knowledge and research institution with a long term goal of promoting African knowledge, heritage, tradition and other relevant information for the common good of societies and civilization, Greater Africa preserves the right to store certain data of importance. This is founded in Article 6 (1) (e), and the issues are described in Article 89 of the GDPR. The legal basis states the importance of the following: public interest, scientific or historical research purposes and statistical purposes.

 

This information might be stored after other personal data is deleted:

·     Position, title or role

·     Age

·     Gender

·     Nationality

·     Time of involment with us

·     Location of involvement and with which department of our organization

 

For contributors we may also store the following:

·     Items/services or amount donated


Greater Africa ensures that data which is stored after other personal data is erased, will be completely anonymous and not in any way possible to be connected to any identifiable person, not through restoration or by reviving any related information, not by combining with any other information or in any other way.

 

Access to any of this data is highly restricted even within our own organization, and only accessible to specific people under strict regulation. Any person who is to be granted access to this information has to be guided through all conditions in dialogue with a competent person, to make sure that the competence on privacy issues is properly comprehended and understood. The person whom has received direct instructions has to consent to these in a written agreement.

 

Documentation that is necessary for tax authorities and other governmental institutions, for reporting that is required from us, for application purposes and accountability requirements, is necessary to process for documenting the activities of the organization. This includes verifying our competence in handling the different fields of our operations on a professional level sufficient both ethically, in compliance with the applicable laws, norms and standards, and our capability in relation to set goals of our core operations, as well as in relation to humanity, environment, sustainability and other areas of responsibility.

3.3 Prohibited categories of personal data

Special categories of personal dataare regulated under Article 9 of the GDPR.

The following data is prohibited for processing: personal data revealing racial or ethnic origin, political opinions, religious or philosophical believes, trade union membership, and processing of genetic and biometric data for the sole purpose of identifying a person, information concerning health, sexual orientation and practice.

 

There are exemptions for this prohibition under circumstances described in Article 9, for statistical purposes. This relates to the conditions in point 3.2, and GDPR 89 when it comes to Union and national law of member states, which may have derogations necessary for fulfillment of the purposes in relation to the conditions and safeguards described. This to ensure that any processing of data on grounds of the exemptions (public interest, scientific or historical research, statistical purposes etc..) is in consistency with the basic right of protection of personal data, and that special and sufficient measures are taken to make sure that fundamental rights and interests of registered persons are protected.

 

That means that if a registered person wants that all stored information shall be erased, some personal data may still be processed only if it is necessary for the said reasons, and can then be archived without consent of the data subject. Where there is in the interest of the society, the the processing of the data clearly outweighs any disadvantages for the subject.

 

In the interest of protection of individual rights, anyone who has a disagreement concerning the processing on the basis of any disadvantages for a singular subject can make a complaint. See more about the right to appeal in point 7.

 

4. The right to require restriction 

The Right to restriction of processingis regulated in GDPR Article 18 and Article 19.

 

The registrant can claim the processing of personal data to be limited under the following circumstances:

·     When the accuracy of the information is disputed and have to be verified

·     Where the processing is proven unlawful and the registrant wants restriction instead of erasure

·     Where the necessity of the data is no longer valid for its purpose, but there are requirements by the subject for establishment, exercise or defense of legal claims

·     Where the registrant makes use of the right to objection and the data handler has to verify if there are legal grounds that overrides those of the subject.

 

The registrant has the right to be informed if the restriction is lifted.

 

When restriction has been enforced, the information can be stored but only used in the following circumstances:

·     When the the registrant has given consent

·     For the defense of legal claims

·     For the defense of another persons rights

·     When there are important reasons for public interests

 

The methods of restricting the processing data is described in recital 67 of the GDPR.

5. The right to data portability 

The Right to data portabilityis regulated in GDPR Article 20.

 

If processing of personal data is based on consent in accordance with Article 6(1)a or 9(2)a of GDPR and if the processing is handled automatically, the registrant has the right of obtaining their information and providing it for a different handler.

 

The information shall then be provided in structured manner, in a commonly used and easily readable digital format.

Where it is technically possible, the registrant has the right to have the data transmitted directly from one handler to another.

 

The right to portability does not apply to the processing necessary for public interest with legal basis in Article 17 of the GDPR, and it should not affect the rights and freedoms of others.

6. The right to refuse processing

The Right to objectis regulated in GDPR Article 21.

 

In particular situations, a person has the right to object the processing of personal data. This relates to Article 6(1)e and f, and includes profiling based upon these. Objection is also relevant when the sole purpose of data processing is direct marketing. 

 

At the time of the first communication, the right to objection shall be explicitly notified to the registrant, clear and separate from other information. Registered persons shall have the opportunity of objecting digitally. In our case we have provided solutions within our diverse online forms, and registrants have the opportunity to object using email and on our social media platforms.  

7. Specifications of personal data and processing

In order to fulfill our purpose and exercise our tasks, it is necessary for us to collect, store and process data. See point 9 for how we secure the handling of this work.

7.1 What information is collected and how

For handling services in relation with our donors, members and volunteers in European countries, we collect the following information: name, address, email address, phone number, date of birth, and gender. In case of tax exemption for donors, they voluntarily provide their social security number which is encrypted, so that we can provide for them that donations are exempted from tax by the authorities. All of this information is provided with the registrants consent, through the forms available on our website, or in a few cases on physical forms which are securely destroyed after registration. The purpose of registering email addresses is for the registrars to be able to receive information and updates regarding their contributions and our work related to their involvement, and they are informed and consenting to this upon registration. They are also informed about their right to unsubscribe and how to do so, in compliance with point 6.

Information about contributors on social media such as Facebook and Instagram is available on the respective platforms only, and is not stored by us.

 

We receive anonymous statistics for our website through the platform provider through their analytics service. This information is not identifiable to any specific persons, and is not stored by us.

 

For community members in African countries we we collect the following information: name, gender, nationality, date of birth, address, email address, and phone number. Since we work with families as groups we are also in need of registering family relations. In order to provide for community members who are without income, are need of advancing in their professional life, or if they have valuable competence they want to provide for others within the community, we may also register their occupation, experience, talents and or other resources.

In cases where the registrant is a minor, we also register information about their next of kin, i.e. their parents or guardians. In most cases their name and phone number only. All of this information is provided with consent of the registrants.

 

For volunteers, participants from partners or others working with us in African countries, we might obtain in addition to the ground data a copy of their passport, phone number for their next of kin, address for their accommodation while in the country, local phone number, the objectives of their work and the time and location of their collaboration with us. 

7.2 Where is information stored

As described in point 9.1 we handle data in our own database provided by Solidus. Information is required by governmental authorities and other providers dependent on the users preferred form of interaction, and are processed by data handler databases which are necessary for us to be able to provide and fulfill our tasks and requirements. All of these entities are also bound by the laws for processing personal data under the GDPR legislation.

 

These following entities save data on our European side: Tax Authorities, DnB Bank, Visa, MasterCard, Vipps, PayPal, Solidus, Squarespace, Facebook, Messenger, Instagram, WhatsApp.

 

The following entities store information at the time in Uganda: Uganda Registration and Services Bureau (URSB), The National Bureau for NGOs (Ministry of Internal Affairs), Local authorities at our locations; Kampala Capital City Authority, Chairman, Local Councils and NGO Monitoring Committees, MtN Mobile Money and Uganda Communications Commission (UCU). These entities are subject to the Data Protection and Privacy Act of February 2nd, 2019.

 

Greater Africa will not sell or in any other way disclose personal data for any of the registrants to anyone outside of the scope of this Privacy Statement. The exceptions are only if we are obligated to do so after a court decision or we have received consent. This does not prevent the use of automated processing on our behalf, provided that it is in accordance with the data processing agreement. Service providers who may have access to personal data in connection with services for our registrants, as third party companies that provides transaction solutions or store information on web servers, are obliged to confidentiality. They are bound by Article 28 of the GDPR, and cannot under any circumstances use the data in any other occasion than when performing the specific service. 

 

Here you can find the privacy statements from service providers:

·     Tax Authorities: https://www.skatteetaten.no/en/about-the-tax-administration/security-and-privacy/privacy-policy

·     DnB: https://www.dnb.no/en/about-us/protection-of-personal-privacy.html

·     Visa:https://www.visa.no/legal/privacy-policy.html

·     MasterCard: https://www.mastercard.us/en-us/about-mastercard/what-we-do/privacy.html

·     Vipps:https://www.vipps.no/vilkar/vipps-privacy-protection-policy

·     PayPal: https://www.paypal.com/no/webapps/mpp/ua/privacy-full

·     Solidus: https://solidus.no/personvernerklaering/

·     Squarespace:https://www.squarespace.com/privacy

·     Facebook and Messenger: https://www.facebook.com/privacy/explanation

·     Instagram: https://help.instagram.com/519522125107875

·     WhatsApp: https://www.whatsapp.com/legal/#privacy-policy-information-we-collect

8. Security, protection and routines

8.1 Our policy, security and practice

As a professional organization with a high level of responsibility, we are taking our accountability very seriously. Therefore, we have developed a substantial ethical framework for handling both personal data and economical misconduct. We have also established a secure system for registering, storing and handling data in our database, with restricted access also within our organization. There are strict rules for access and processing and we have a written agreement concerning this in collaboration with our service provider Solidus.

8.2 Cookies and analytics 

We do not believe in the use of cookies for adjusting our image, message or outreach according to others assumed expectations, because we believe more in showing the pure and honest truth about who we are, what we want to do, and the message we want to portray. We do receive anonymous statistics and analytics from our website platform provider, that is helpful with indications that we are making the right choices for reaching out and providing the right guidance for our visitors. The information does not provide any information that can be identifiable to any specific persons. The data contains information about how many visitors we have, how many comes from links on social media or search engines, which pages are visited, which countries we get visits from and the amount of mobile versus desktop and tablet users.