Document owner: Sandi Dempsey
Last reviewed: Jan 28, 2025
The purpose of this privacy policy is to provide information about Balakun's collection and processing of personal data.
This privacy policy complies with the requirements set out in the EU General Data Protection Regulation, hereinafter referred to as 'GDPR', and implemented in Norwegian law through the Norwegian Act on the Processing of Personal Data (the Personal Data Act) of 2018. This notice will be updated as needed.
Balakun shall not process personal data to a greater extent than is necessary for the purposes of Balakun. The purpose of the Personal Data Act is to protect the individual against the violation of privacy by the processing of personal data. It is important to Balakun that the processing of personal data constitutes as little intervention as possible for the individual data subject, based on what is practically, technically, and financially possible, cf. the Personal Data Act and the Privacy Regulation Article 5. As a data subject, you therefore are protected by certain rights under this law.
Balakun
Norwegian Organization #: 833171062
Balakun, represented by the Board Chair, is the data controller responsible for the institution's processing of personal data. The data controller's tasks are delegated to the line managers. Where the daily responsibility is delegated, the details are described in each section below. The delegation only includes the tasks and not the responsibilities.
Balakun's DPO is: Sandi Dempsey
At Balakun, personal data is processed for administrative purposes, for archiving purposes, and for statistical purposes. As a general rule, information collected for a particular purpose cannot be used for other purposes.
In general, we process information that you have provided to us for one of the following reasons:
Balakun has a legitimate interest in being able to contact you.
We also process personal data which has not been obtained directly from you for the following reasons:
The Personal Data Act, which incorporates the EU General Data Protection Regulation (GDPR) into Norwegian law in its entirety, contains provisions on the processing of personal data, including collection, information security, who has access, and disclosure. All processing of personal data must comply with the basic principles incorporated in Article 5 of the GDPR act, including the lawfulness of processing in Article 6, and the conditions in Article 9 for the processing of special categories of personal data.
The Personal Data Act and Article 4 (7) of the GDPR provide that the data controller is the institution, which alone or jointly with others determines the purposes and means of the processing of personal data. According to the delegation of authority, the CEO has the overall responsibility for all processing of personal data, and is the data controller. The daily operational responsibility for information security is delegated to the CTO.
If you wish to receive information about what personal data is registered about you, or you wish to exercise the right to access, the right to rectification, the right to erasure, or other rights according provided in the GDPR, you can submit your request to the Data protection officer. You are entitled to a response without undue delay, and no later than 30 days.
If you have general questions about the processing of your personal data at Balakun, you can contact our Data Protection Officer.
Balakun has a Data Protection Officer to safeguard the privacy interests of our volunteers, students, and other data subjects that Balakun processes personal data about. The Data Protection Officer can, among other things, assist individuals who are registered with personal data at Balakun, to safeguard their rights. However, it is the controller who is responsible for Balakun complying with the rules and regulations. The Data Protection Officer can also provide assistance and answer any questions. You can contact the data protection officer at privacy@balakun.org
You are entitled to know what personal data is registered about you at Balakun and how this data is processed, cf. the provisions of the Personal Data Act and the GDPR Article 15. You are entitled to know what the purpose of the processing of the data is, the type of data that is processed, whether they are or will be disclosed to others and, if so, to whom, how long the data will be stored and any procedures for erasure. You also have the right to know the extent to which you have the right to rectification, erasure, restriction of processing or to object to the processing. You also have the right to know how the information is collected. You are entitled to a copy of all the data about you, including electronic tracking. You have the right of access without undue delay and within one month at the latest.
Information provided under the GDPR Articles 13 and 14 and any communication and actions taken under Articles 15 to 22 and 34 shall be provided free of charge, unless the exemptions set out in GDPR Article 12(5) apply.
In certain cases, you have the right to demand rectification and erasure of information about yourself, cf. Article 16 of the General Data Protection Regulation. You must be able to prove that the registered information is incorrect, and what the correct information is.
You are entitled to rectification without undue delay and normally within one month. In cases where correction is not practicable or where the information is correct but gives an incorrect impression, you may require that the information be supplemented.
In some cases, you have the right to request that information be deleted. This is also called "the right to be forgotten". Unless one of the exceptions applies, you may require the deletion of your information in the following cases, cf. Article 17 of the General Data Protection Regulation:
In the above cases, the institution shall carry out deletion without undue delay and normally within one month at the latest.
The right to delete does NOT apply in the following cases (exceptions):
In some cases, you may request the processing of your personal data information be restricted. In that case, the information can be stored but not used for anything.
If we process information about you on the basis of our assignments or on the basis of a balance of interests, you have the right to object to our processing of your personal data. This is mainly when we process personal data without your consent. Article 21 of the General Data Protection Regulation therefore states that you may in some cases object to the processing of your information.
The right to protest does NOT apply in the following cases (exceptions):
The right to protest also does not apply if the organization can show that weighty reasons supersede your protest (balancing of interests).
By using balakun.org, you consent to Balakun setting cookies in your browser.
Balakun uses cookies to generate statistics for the use of the website, to conduct surveys on what users think of Balakun.org, and to offer customized ads (retargeting) on Google, Facebook, and Twitter. For example, for recruitment purposes, the Student Administration Department uses cookies for marketing/retargeting prospective students.
The statistics are a tool for improving our website, as well as assessing the impact of marketing on other digital platforms. For each page viewed, the following information is stored on our servers.
Your IP address is anonymized and cannot be associated with you as a person.
This website uses cookies from Google Analytics.
Google Analytics is used to analyze the visits we get to our site. This is done using the following cookies:
You can opt-out of cookies from Google Analytics by visiting Google's website.
Third-party requests are queries created by a user to an external service provider, such as ads and social media widgets. Although these queries do not set cookies, they can still transmit information to third parties.
You can prevent cookies from being stored on your computer by changing your browser settings. However, please be aware that if you change your settings, you may not be able to use the site's functionality in its entirety.
The legal basis for the processing of personal data on applicants and students is The Personal Data Act and The General Data Protection Regulation Article 6 (1) and Article 9 (2) (a), (b).
If you are applying for admission or are a student at Balakun, we must collect and register information such as name and contact details. The purpose of the registrations is to administer your application to participate in our community. You normally register the information yourself via the application form. Some recordings are made during verification calls, and then we record the information you have given us in our systems.
Balakun will be able to disclose or export data containing personal data to other systems, i.e. external data processors, for example to Google as we create your account to access our systems, or in cases where it is considered necessary. Current external data processors from which personal data can be retrieved and provided:
Balakun may receive requests for access in accordance with the Freedom of Information Act. We want to remark that the provisions of the Personal Data Act will not be able to impose restrictions on this right of access where the inquiry relates to personal data.
By volunteer, we refer to the roles of mentor, administrative and other non-student roles.
The Director is delegated the day-to-day responsibility for processing personal data information about volunteers. This involves making sure that necessary routines have been established to ensure confidentiality and quality and that the information is not stored longer than necessary. The Director is also responsible for providing necessary training in the use of IT systems and current routines.
The purpose of processing personal data information about volunteers is to fulfill legal obligations and agreements. The legal basis for the processing of personal data on volunteers is The Personal Data Act and The General Data Protection Regulation Article 6 (1) (a), (b), (c), (e), (f), Article 9 (2) (a), (b), and Article 88.
Volunteers at Balakun are registered with name, birth year, and contact information. In addition, jskills, social media links and location may be processed.
The information is collected from you as an applicant or volunteer.
The purpose of the registrations is to administer your application to participate in our community. You normally register the information yourself via the application form. Some recordings are made during verification calls, and then we record the information you have given us in our systems.
The information is archived in Balakun's CRM system and user management system at the IT department. The systems are access controlled, and no one but those who need it have access to personal information.
The main point is that personal data should not be stored longer than necessary to carry out the purpose of the processing. If personal data is not to be stored in accordance with the Archives Act or other legislation, they must be deleted.
Volunteers have access to their personal data through the Google Workspace. Access to other information in the personnel directory is given by contacting the administration of Balakun.
The personal data information about students and volunteers is registered by Balakun for use for specific purposes and shall be used according to the purpose.
As a general rule, Balakun can only disclose your personal information to others once you have consented. In some cases, information is provided without consent: when authorized by law, to fulfill an agreement with you, or when necessary to perform tasks assigned to Balakun as the controller.
In principle, no one at Balakun or outside has access to students' and volunteers' balakun.org email accounts, personal storage areas, or their online activity. This can only happen in very special cases regulated by the ICT Regulations and pursuant to Section 9-5 of the Working Environment Act, the Personal Data Act, and The General Data Protection Regulation. Such exceptions may, for example, be in connection with absence due to health, death, or suspected criminal circumstances.
The purpose of logging is to ensure stable operation, capture and clarify conditions around undesirable events, and manage quota restrictions (e.g., storage space). Only logging personnel are responsible for the systems in question. They should not be used for any purpose other than that for which they were collected, and they will not be disclosed to outsiders. Extradition to the police and prosecuting authority shall only take place with the written permission of the Balakun CEO.
The legal basis for the processing of personal data in logs is the Personal Data Act and the General Data Protection Regulation Article 32.
The purpose of logging the activity in IT systems is to manage systems, ensure stable operation, and detect and resolve unwanted events.
Balakun has regular operating logs and application logs in its IT systems.
Usually, the logs are not extradited, as they are intended as technical operating logs to ensure stable operation and detect unwanted or abnormal events. They can be handed over to police or prosecutors on the basis of a court order. Balakun may request that logs be handed out in accordance with articles 32 and 33 of the General Data Protection Regulation.