This Privacy notice (“Privacy Notice”) explains why and how NRC processes personal data. It applies to the use of personal data in relation to our donors and customers.
Content of the Privacy Notice
This Privacy notice covers the following areas:
- Who is responsible (the Data controller)?
- How we may use your personal data, the lawful basis for doing so and how long we keep your personal data
- Tax deductions
- Automated decision-making
- Who we may disclose your personal data to
- How we protect your personal data
- Your privacy rights
- How changes to this Privacy notice will be made
- Contacting us or the data protection authority
Who is responsible (Data controller)?
Norwegian Refugee Council
- The Norwegian Refugee Council (NRC) is working to protect the rights of displaced and vulnerable people during crisis.
- NRC is fully committed to protecting your individual rights and keeping your personal data safe.
How we may process your personal data, the lawful basis for doing so and how long we keep your personal data
Overall purpose of processing personal data |
Personal data we may collect from you |
Legal basis for the processing of personal data |
How long will the data be stored
|
To manage your donation when you make a single donation or become a regular donor |
You provide directly to us. <e.g.: Name, email address, phone number, mailing/delivery address. >
|
Contractual obligations to carry out measures related to the donation (GDPR art. 6(1)b) |
Accounting data will be kept for five years, but we won't contact you in the last two years. |
To tailor the content you receive on our channels |
You provide directly to us. The information will be based on your birth date, gender, country, previous donations, purchases, and preferences on our website and webshop.
|
Legitimate interests (GDPR art. 6(1)f). The legitimate interest is to provide content that matches your preferences. |
We will keep primary information for 5 years from end of financial year. NRC may, within 3 years and based on legitimate interests, contact individuals that have cancelled, unless consent has been revoked . Anonymised data kept for statistical purposes (Donation amount, date of birth, gender, country)
|
To comply with legal and accounting requirements stipulated by law. |
You provide directly to us. Transaction data. |
Processing is necessary for compliance with a legal obligation to which the controller is subject (GDPR art. 6(1)c), cf. the Bookkeeping Act and Regulation. |
Accounting data will be kept for five years. |
To report relevant information to the tax authorities to make it possible for you to deduct tax. |
You provide directly to us. <e.g.: Name, email address, phone number, mailing/delivery address, social security number. >
|
Legitimate interest (GDPR art. 6(1)f). Our legitimate interest is to provide extra service for our donors. |
We will keep your data for one year after you have asked us to report the information. |
To manage your purchase when you shop through our webshop, |
You provide directly to us. <e.g.: Name, email address, phone number, mailing/delivery address. >
|
Contractual obligations to carry out measures related to purchasing (GDPR art. 6(1)b) |
Accounting data will be kept for five years, but we won't contact you in the last two years. |
Tell you about our work after you have made a donation |
You provide directly to us. . <e.g.: Name, email addres, phone number, birth date>
|
Legitimate interest (GDPR art. 6(1)f). Our legitimate interest is to inform you about our activity and relevant news. |
Accounting data will be kept for five years, but we won't contact you in the last two years. |
Contact you with similar commercial products after purchase in webshop |
You provide directly to us. Name and email address. |
Legitimate interest (GDPR art. 6(1)f). Our legitimate interest is to inform you about other relevant goods or services, with the aim of increasing the turnover. |
We will keep your data as required by law. Accounting data will be kept for five years, but we won't contact you in the last two years. |
Share our newsletter with you, after you subscribe through our website or webshop. |
You provide directly to us. <e.g.: Name, email addres, phone number, birth date> |
Consent (GDPR art. 6(1)a) |
We will keep your interaction data while you are with us and for three years after. |
To analyze and segmentate our target audience, and to understand who supports us. |
You provide directly to us. <e.g.: Name, email addres, phone number, birth date> |
Legitimate interest (GDPR art. 6(1)f). Our legitimate interest is to understand who uses our webshop, with the aim of increasing the turnover. |
Accounting data will be kept for five years, but we won't contact you in the last two years. Anonymised data kept for statistical purposes (Donation amount, date of birth, gender, country)
|
Tax deductions
Depending on where you live, you might be eligible for a tax deduction on your donation or purchase. To process this, please contact us by email or phone and provide your personal number. By providing this information, you consent to us using it for this purpose.
If you are a Norwegian donor, please visit our tax section on our Norwegian website.
Third parties that the data will be shared with
NRC uses technical solutions owned or supported by third party providers that process personal data on our behalf for the purposes mentioned in the table above. NRC has entered into separate agreements with these providers to ensure the implementation of stringent security and confidentiality measures.
NRC uses third parties such as:
- Salesforce (customer relations management)
- Concept communications (donors recruitment)
- AB Marketing AS (donors recruitment)
- Nets (by Mastercard) (Processing payment)
- GoCardless (Processing payment)
- Stripe (Processing payment)
- Vipps (Processing payment)
- Paypal (Processing payment)
- ResourceSpace (image database)
- IPER Direkte AS (Information cleanup)
- Bisnode (information cleanup)
- OwnBackup (Backup system)
- Shopify (e-commerce transactions)
- Tiltify (fundraising site)
- Trybes BV (online campaigns)
- Andvord (postal mail)
NRC may share your personal data with others such as suppliers, partners, consultants. We may also disclose your personal data to authorities to the extent we are under legal obligation to do so, such as tax authorities in the relevant countries.
International transfers
In some cases, NRC may transfer your personal data to organisations based outside of the EU/EEA. We ensure that the information is protected by Standard Contractual Clauses.
When we send your personal information outside of the EU/EEA, we:
- do so in accordance with the applicable law; and
- ensure that the information is protected by contractual commitments that are comparable to those provided in the Standard Contractual Clauses.
How we protect your personal data
Keeping your personal data safe and secure is at the center of how we work.
We use appropriate measures:
- technical, <e.g.: utilizing secure, access management, verified software from reputable vendors.>
- organisational <e.g.: conducting regular security awareness training sessions for employees to recognize and respond to security threats; carefully selecting and regularly reviewing third-party vendors to ensure they meet the organization’s security standards.>
- administrative <e.g.: ensuring compliance with relevant laws and regulations.>
Your privacy rights
You have certain rights and may invoke them by contacting us in accordance with the contact information on the end of this notice. Provide your name, mobile number and/or email address when you do so and let us know what kind of data about yourself you wish to access, correct, complete, or delete.
You as a data subject have the following rights in respect of personal data we hold about you:
Request access to your personal data:
You have a right to access the personal data we are keeping about you. Your right to access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for the humanitarian activity.
Right to object:
You have the right to object to the processing of your personal data. This includes processing for direct marketing purposes or profiling. If you do, NRC will no longer process your personal data unless we have a lawful basis to do so.
Request correction of incorrect or incomplete data:
If the data is incorrect or incomplete, you are entitled to have the data rectified, within the restrictions stipulated in applicable legislation.
Request erasure:
You have the right to request erasure of your data when:
- you withdraw your consent to the processing and there is no other legitimate reason for processing;
- you object to the processing and there is no justified reason for continuing the processing;
- the processing is unlawful.
Limitation of processing of personal data:
If you contest the data's accuracy or lawfulness, or object to processing, you can request restriction to storage only. This will continue until accuracy, or our interests are verified. If erasure isn't an option, or processing is needed for a legal claim, you can request storage-only processing. We may process your data for legal claims or with your consent.
Data portability:
- You have a right to receive personal data that you have provided to us in a machine-readable format. This right applies to personal data processed by automated means only and on the lawful basis of consent or performance of a contract. Where secure and technically feasible the data can also be transmitted to another data controller by us.
Your request to exercise your rights as listed above will be assessed given the circumstances in the individual case. Please note that we may also retain and use your information as necessary to comply with legal obligations, resolve disputes and enforce our agreements.
How changes to this Privacy Notice will be made
We constantly work to improve and develop our services and ways of working. Therefore, we may update this Privacy Notice as required by changes to our business processes or applicable law.
If the update is not significant, we may make such changes without publishing a separate notice to this effect. If the changes are significant and affect your rights or the way we process personal data, we will give a separate notice of this on our site.
Please review this page regularly to keep up-to-date.
Contact us:
Contact us through our email fundraising@nrc.no or call us at +47 800 33 503 (10:00 am - 2:00 pm CET, Monday - Friday). Provide your name, mobile number and/or email address when you do so and let us know what kind of data about yourself you wish to access, correct, complete, or delete.
Data protection authority
If you have any questions about this Privacy Notice, wish to exercise your data protection rights, or want to communicate with our Data Protection Officers, please contact us at:
- Legal address: Prinsens gate 2, 0152 Oslo, Norway
- NRC Data Protection Officer: Shadab Khan
- E-mail: data.protection@nrc.no
You have a right to lodge a complaint with the competent supervisory authority. For more information, please visit the relevant authority’s website. In Norway, the supervisory authority is the Datatilsynet. Please visit the following website for more information:
- Datatilsynet: Postboks 458 Sentrum 0105 Oslo
- Website: https://www.datatilsynet.no/
This Privacy notice (“Privacy Notice”) explains why and how NRC processes personal data. It applies to the use of personal data in relation to our donors and customers.
Content of the Privacy Notice
This Privacy notice covers the following areas:
- Who is responsible (the Data controller)?
- How we may use your personal data, the lawful basis for doing so and how long we keep your personal data
- Tax deductions
- Automated decision-making
- Who we may disclose your personal data to
- How we protect your personal data
- Your privacy rights
- How changes to this Privacy notice will be made
- Contacting us or the data protection authority
Who is responsible (Data controller)?
Norwegian Refugee Council
- The Norwegian Refugee Council (NRC) is working to protect the rights of displaced and vulnerable people during crisis.
- NRC is fully committed to protecting your individual rights and keeping your personal data safe.
How we may process your personal data, the lawful basis for doing so and how long we keep your personal data
Overall purpose of processing personal data |
Personal data we may collect from you |
Legal basis for the processing of personal data |
How long will the data be stored
|
To manage your donation when you make a single donation or become a regular donor |
You provide directly to us. <e.g.: Name, email address, phone number, mailing/delivery address. >
|
Contractual obligations to carry out measures related to the donation (GDPR art. 6(1)b) |
Accounting data will be kept for five years, but we won't contact you in the last two years. |
To tailor the content you receive on our channels |
You provide directly to us. The information will be based on your birth date, gender, country, previous donations, purchases, and preferences on our website and webshop.
|
Legitimate interests (GDPR art. 6(1)f). The legitimate interest is to provide content that matches your preferences. |
We will keep primary information for 5 years from end of financial year. NRC may, within 3 years and based on legitimate interests, contact individuals that have cancelled, unless consent has been revoked . Anonymised data kept for statistical purposes (Donation amount, date of birth, gender, country)
|
To comply with legal and accounting requirements stipulated by law. |
You provide directly to us. Transaction data. |
Processing is necessary for compliance with a legal obligation to which the controller is subject (GDPR art. 6(1)c), cf. the Bookkeeping Act and Regulation. |
Accounting data will be kept for five years. |
To report relevant information to the tax authorities to make it possible for you to deduct tax. |
You provide directly to us. <e.g.: Name, email address, phone number, mailing/delivery address, social security number. >
|
Legitimate interest (GDPR art. 6(1)f). Our legitimate interest is to provide extra service for our donors. |
We will keep your data for one year after you have asked us to report the information. |
To manage your purchase when you shop through our webshop, |
You provide directly to us. <e.g.: Name, email address, phone number, mailing/delivery address. >
|
Contractual obligations to carry out measures related to purchasing (GDPR art. 6(1)b) |
Accounting data will be kept for five years, but we won't contact you in the last two years. |
Tell you about our work after you have made a donation |
You provide directly to us. . <e.g.: Name, email addres, phone number, birth date>
|
Legitimate interest (GDPR art. 6(1)f). Our legitimate interest is to inform you about our activity and relevant news. |
Accounting data will be kept for five years, but we won't contact you in the last two years. |
Contact you with similar commercial products after purchase in webshop |
You provide directly to us. Name and email address. |
Legitimate interest (GDPR art. 6(1)f). Our legitimate interest is to inform you about other relevant goods or services, with the aim of increasing the turnover. |
We will keep your data as required by law. Accounting data will be kept for five years, but we won't contact you in the last two years. |
Share our newsletter with you, after you subscribe through our website or webshop. |
You provide directly to us. <e.g.: Name, email addres, phone number, birth date> |
Consent (GDPR art. 6(1)a) |
We will keep your interaction data while you are with us and for three years after. |
To analyze and segmentate our target audience, and to understand who supports us. |
You provide directly to us. <e.g.: Name, email addres, phone number, birth date> |
Legitimate interest (GDPR art. 6(1)f). Our legitimate interest is to understand who uses our webshop, with the aim of increasing the turnover. |
Accounting data will be kept for five years, but we won't contact you in the last two years. Anonymised data kept for statistical purposes (Donation amount, date of birth, gender, country)
|
Tax deductions
Depending on where you live, you might be eligible for a tax deduction on your donation or purchase. To process this, please contact us by email or phone and provide your personal number. By providing this information, you consent to us using it for this purpose.
If you are a Norwegian donor, please visit our tax section on our Norwegian website.
Third parties that the data will be shared with
NRC uses technical solutions owned or supported by third party providers that process personal data on our behalf for the purposes mentioned in the table above. NRC has entered into separate agreements with these providers to ensure the implementation of stringent security and confidentiality measures.
NRC uses third parties such as:
- Salesforce (customer relations management)
- Concept communications (donors recruitment)
- AB Marketing AS (donors recruitment)
- Nets (by Mastercard) (Processing payment)
- GoCardless (Processing payment)
- Stripe (Processing payment)
- Vipps (Processing payment)
- Paypal (Processing payment)
- ResourceSpace (image database)
- IPER Direkte AS (Information cleanup)
- Bisnode (information cleanup)
- OwnBackup (Backup system)
- Shopify (e-commerce transactions)
- Tiltify (fundraising site)
- Trybes BV (online campaigns)
- Andvord (postal mail)
NRC may share your personal data with others such as suppliers, partners, consultants. We may also disclose your personal data to authorities to the extent we are under legal obligation to do so, such as tax authorities in the relevant countries.
International transfers
In some cases, NRC may transfer your personal data to organisations based outside of the EU/EEA. We ensure that the information is protected by Standard Contractual Clauses.
When we send your personal information outside of the EU/EEA, we:
- do so in accordance with the applicable law; and
- ensure that the information is protected by contractual commitments that are comparable to those provided in the Standard Contractual Clauses.
How we protect your personal data
Keeping your personal data safe and secure is at the center of how we work.
We use appropriate measures:
- technical, <e.g.: utilizing secure, access management, verified software from reputable vendors.>
- organisational <e.g.: conducting regular security awareness training sessions for employees to recognize and respond to security threats; carefully selecting and regularly reviewing third-party vendors to ensure they meet the organization’s security standards.>
- administrative <e.g.: ensuring compliance with relevant laws and regulations.>
Your privacy rights
You have certain rights and may invoke them by contacting us in accordance with the contact information on the end of this notice. Provide your name, mobile number and/or email address when you do so and let us know what kind of data about yourself you wish to access, correct, complete, or delete.
You as a data subject have the following rights in respect of personal data we hold about you:
Request access to your personal data:
You have a right to access the personal data we are keeping about you. Your right to access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for the humanitarian activity.
Right to object:
You have the right to object to the processing of your personal data. This includes processing for direct marketing purposes or profiling. If you do, NRC will no longer process your personal data unless we have a lawful basis to do so.
Request correction of incorrect or incomplete data:
If the data is incorrect or incomplete, you are entitled to have the data rectified, within the restrictions stipulated in applicable legislation.
Request erasure:
You have the right to request erasure of your data when:
- you withdraw your consent to the processing and there is no other legitimate reason for processing;
- you object to the processing and there is no justified reason for continuing the processing;
- the processing is unlawful.
Limitation of processing of personal data:
If you contest the data's accuracy or lawfulness, or object to processing, you can request restriction to storage only. This will continue until accuracy, or our interests are verified. If erasure isn't an option, or processing is needed for a legal claim, you can request storage-only processing. We may process your data for legal claims or with your consent.
Data portability:
- You have a right to receive personal data that you have provided to us in a machine-readable format. This right applies to personal data processed by automated means only and on the lawful basis of consent or performance of a contract. Where secure and technically feasible the data can also be transmitted to another data controller by us.
Your request to exercise your rights as listed above will be assessed given the circumstances in the individual case. Please note that we may also retain and use your information as necessary to comply with legal obligations, resolve disputes and enforce our agreements.
How changes to this Privacy Notice will be made
We constantly work to improve and develop our services and ways of working. Therefore, we may update this Privacy Notice as required by changes to our business processes or applicable law.
If the update is not significant, we may make such changes without publishing a separate notice to this effect. If the changes are significant and affect your rights or the way we process personal data, we will give a separate notice of this on our site.
Please review this page regularly to keep up-to-date.
Contact us:
Contact us through our email fundraising@nrc.no or call us at +47 800 33 503 (10:00 am - 2:00 pm CET, Monday - Friday). Provide your name, mobile number and/or email address when you do so and let us know what kind of data about yourself you wish to access, correct, complete, or delete.
Data protection authority
If you have any questions about this Privacy Notice, wish to exercise your data protection rights, or want to communicate with our Data Protection Officers, please contact us at:
- Legal address: Prinsens gate 2, 0152 Oslo, Norway
- NRC Data Protection Officer: Shadab Khan
- E-mail: data.protection@nrc.no
You have a right to lodge a complaint with the competent supervisory authority. For more information, please visit the relevant authority’s website. In Norway, the supervisory authority is the Datatilsynet. Please visit the following website for more information:
- Datatilsynet: Postboks 458 Sentrum 0105 Oslo
- Website: https://www.datatilsynet.no/