1.1 The South African Norwegian Association (“SANA”) respects your privacy and is committed to protecting your personal data according to the General Data Protection Regulation (“GDPR”) and any applicable Norwegian data protection law.
1.2 This document contains –
(i) SANA’s policy in regard to the collection and usage of personal data or corporate information that you may provide us when you visit SANA’s page, www.sanassociation.com or pages (the “Website”), become a member thereof, use any of SANA’s services ( the “Services”), or communicate to us online,
(ii) general information about when, why, and how we process personal data, and
(iii) other information that you have the right to know, such as your privacy and data protection rights, and how the law protects your personal data.
1.3 Personal data refer to any information relating to an identified or identifiable natural person. Conversely, they do not include information where the identity has been rendered anonymous.
1.4 The law requires that you be informed of how your data is processed, so that you may not lose control thereof. Therefore, it is to your best interest that you read this document, together with our other privacy or fair processing notices when we have to collect your personal data anew.
1.5 SANA may revise this policy from time to time, and will post the most current version on our Website. You will be informed via e-mail if any significant changes are made.
1.6 It is important that the personal data we hold about you is accurate and current. Please keep us informed, if your data change during your relationship with us.
1.7 This Website is not intended for children, and we do not knowingly collect data relating to them.
1.8 Kindly refer to the Appendix below to understand the meaning of important terms used in this document.
1.9 As the data controller with the power to determine the purpose and means of processing personal data, we may be reached at the following details for any concern that you may have regarding this document or the exercise of your rights:
2. Types of Personal Data We Process
2.1 We collect, use, store, and transfer different kinds of personal data, as follows:
- Contact details, such as name, title, company name, photos, addresses, telephone numbers, personal email addresses, and bank details (where relevant, e.g., performance of our contract) of our employees, members, customers, collaborative partners, and suppliers/contractors;
- Technical Data, such as internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices used to access this website;
- Usage Data containing information about how you use our Website and Services;
- Aggregated Data, such as statistical or demographic data for any purpose.
Aggregated Data are derived from your personal data. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a certain feature of our Website. Generally, they are not considered personal data as they do not reveal, directly or indirectly, your identity. However, if by combining or connecting them with your personal data leads to your re-identification, we treat the combined data as personal data.
2.2 Failure to Provide Personal Data
Where we need to process your personal data by law, or by the terms of our contract with you, and you fail to provide us the requested data, we may not be able to perform the contract/membership we have or are trying to enter into with you (for example, to provide you services or details of events and benefits of membership). In this case, we may have to cancel your membership (with no refund or pro-rata refund of membership fees) or our Services to you. In either case, we will notify you of the cancellation the earliest time possible.
3. Legal Basis for Processing your Personal Data
We shall process your personal data based on the following, whichever is appropriate to our purpose/s:
- Your consent, particularly to our email or text marketing communications, which consent can be withdrawn anytime;
- Necessity of performing our contract or any step, at your request, prior to the contract’s execution;
- Compliance with our legal obligation/s;
- Legitimate interests, e.g., processing is necessary to prevent fraud, to provide you with your requested information, or for us to engage in direct marketing
- Exercise or defense of our legal claim, where processing involves special categories of data under Art 9 (2)(f) of the GDPR;
Please note that we may process your personal data based on more than one legal basis, depending on the purpose/s for which we will use your data. If you need details in this instance, please get in touch with us.
4. Methods of Personal Data Gathering
SANA collects personal data on its website in two (2) ways:
4.1 Direct interactions
Personal data are gathered directly from you when you send us an email, complete the membership application form, request marketing or information about our Services, give us feedback, and the like.
4.2 Indirect interactions
Personal data are gathered indirectly through other sources, such as -
4.2.1 Our Website’s cookies and similar technology
Once you interact with our Website, we automatically collect data about your equipment and browsing behavior.
4.2.2 Third parties or publicly available sources.
5. Purposes of our Processing
5.1 We will only use your personal data within the limits allowed by law, most commonly in the following circumstances:
5.1.2 Compliance with Legal Obligations
- Keep records as part of tax regulations, corporate reporting, or in compliance with court legal processes, and the like
5.1.3 Marketing & Advertising
- Provide you/clients/members with choices of products and/or Services, subject to the following terms:
- Unless you give your express opt-in consent, we will not sell, trade, rent, or otherwise share for marketing your personal data with third parties;
- You can ask third parties, or us if you have previously consented to receive marketing messages, to stop these messages;
- Where you opt out of receiving these marketing messages, this will not apply to personal data earlier provided to us as a result of our past Services to you;
5.1.4 Website Improvement, Customer Service
- Analyze IP and browser information to determine traffic to/through our Website to assist us on how to make our Website more effective, and to improve our products/services, marketing, customer relationships, and experiences.
5.1.5 Sharing with Processors or Other Controllers
- Subject to the conditions that your personal data will be properly secured and will not be used for purposes outside the scope of our instructions, your personal data are shared to internal and external third parties, as listed in the Appendix –
- to receive the required IT and system security services on our Website,
- to seek professional services needed to carry out SANA’s goal and mission,
- to comply with SANA’s data processing reporting obligations and other statutory obligations in EU, EEA, and South Africa, and
- other legitimate purposes.
5.2 Change of purpose
We will only use your personal data based on the original purpose/s for which they were collected, unless –
- In our reasonable belief, your personal data have to be used for another compatible purpose; in which case, you may seek clarification on how we arrive at our judgment, or
- Where the use for any purpose is required by law.
6. International Transfers
SANA may likely transfer personal data out of the EU and EEA mainly in pursuit of its mission to foster stronger economic cooperative relationships between Norway and South Africa through promotion and encouragement of commercial investments between the two countries.
In so doing, we undertake, to the greatest extent possible, to transfer your personal data to countries considered by European Commission to provide adequate level of data protection, per this link https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_lt. In any event, we shall ensure that all transfers to third countries will be in accordance with the GDPR requirements.
7. Data security
7.1 We protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, by implementing technical and organizational measures, as follows:
7.1.1 the use of username and password as a means to access your account;
Kindly use a strong password, keep it safe, and always log out of your account after each use.
7.1.2 the use encryption, firewalls, secure socket layer technology, and other reliable system to prevent unlawful intrusion into our Website;
It is common knowledge, however, that the use of these measures is not foolproof; hence, by using our Website, we assume that you agree to take this risk.
7.1.3 engagement of processors who bind themselves to act only in accordance with our instructions, and who could provide the same technical and organizational measures, including properly trained and reliable employees who commit to keep the security and confidentiality of your personal data.
7.1.4 limiting the access to your personal data only to people who have the business need to know
7.1.5 establishment of procedures to deal with suspected data breach, and mechanism to notify regulator, where applicable, in case of breach
9.0 Data retention
We will only retain your personal data for as long as it is necessary to fulfill the purpose/s for which they were collected, or within a period required by law and regulations. Where legally allowed, we can erase your personal data at your request.
Provided that your personal data have been anonymized, we can use and keep them indefinitely, without your consent, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
10. Your legal rights
As the owner of your personal data, you have the right to the following:
(i) get access to, demand correction, or erasure of your personal data;
(ii) object to or restrict the processing of your personal data;
(iii) request the transfer of your personal data;
(iv) withdraw your consent to the processing of your personal data;
As a general rule, you can exercise these rights anytime and free of charge. However, your request can be rejected or you may be required to pay fees, if your request is clearly unfounded, repetitive or excessive.
In the exercise of your rights, you may also be required to provide us with proof of your identity to ensure that your personal data is protected from unlawful disclosure. We may also require from you further details to help us identify with specificity your request.
We shall endeavor to process your request within a month, unless you have made several requests or your request is complex. In either case, we shall ask for an extension. In between, we shall keep you updated about the progress of our work.
Read policy here
12.1 Third Parties
- Internal Third Parties
These are companies, acting as joint controllers or processors, which are based in Norway or in South Africa, and provide IT and system administration services to us, or undertake leadership reporting.
- External Third Parties
People or entities, acting as either processors or joint controllers, who/which are based in Norway or in South Africa, and provide the following services to us, or require us to comply with certain legal obligations:
- Service providers of IT and system administration services;
- Professional advisors like lawyers, bankers, auditors and insurers, providing banking, legal, insurance, and accounting consultancy services;
- Regulators, such as HM Revenue & Customs, requiring reporting of processing activities in certain circumstances.
12.2 Your Legal Rights
12.2.1 Access Right. The right to receive a copy of your personal data in our possession, or to check the legality of your data processing.
12.2.2 Rectification Right. The right to have your incomplete or inaccurate personal data corrected, subject to our verification.
12.2.3 Erasure Right. The right to ask for deletion or removal of your personal data based on either of the following reasons: (i) there is no more valid reason to continue their processing, or; (ii) you successfully objected to the processing in case of our unlawful processing or the erasure of your data is mandated by a local law. However, if this right impinges on other rights, such as the right to freedom of speech and information, your request for erasure may be declined.
12.2.4 Objection Right. This is the right to object to the processing where we or a third-party’s legitimate interest in your personal data does not override your interests or fundamental rights and freedoms. This is especially true of child’s personal data.
12.2.5 Restriction Right.. The right to have the processing frozen, if (i) the data accuracy is contested and time is needed to verify the accuracy; (ii) the processing is unlawful, but you do not ask that your personal data be erased; (iii) we no longer need the data, according to our original purpose, but we have to keep them to establish, exercise or defend legal rights.
12.2.6. Data Portability Right. This consists of two-fold right: (i) the right to receive information provided to us in a ‘structured, commonly used and machine-readable format’ when the information was originally obtained based on your consent or as part of our contract and (ii) the general right to have that data transmitted from one us to another business where technically feasible in certain circumstances.
12.2.7 Withdrawal of Consent Right. This right must be disclosed before you give consent to the processing. It can be exercised anytime while we rely on your consent for processing, but this will not affect the processing carried out prior to your withdrawal. Another effect of withdrawal of consent is that we may not be able to provide some of our products and services to you. In which case, we have to inform you at the time you are attempting to withdraw your consent.