Privacy Policy
Version: 1.1
Updated: 2023-03-01
1. INTRODUCTION
In 2018, Norway received new regulations for handling personal data. The Personal Data Act consists of national rules and the EU Privacy Regulation (GDPR) and applies in principle to all processing of personal data, both for private and public enterprises, if electronic aids are used or the information is included in a register.
This privacy policy provides an overview of how the IT department of BCC-forbundets Fellestjenester (hereinafter referred to as “BCC IT”) collects and uses personal information. It explains why and how BCC IT collects personal information about you, how this information is used, and how we take into account your privacy in the processing of this information.
Personal information is information that can be linked to you as a person. There may be names and contact information, but also a lot of other information that can be linked to you more indirectly.
For BCC IT, it is important that you know what kind of personal data we process, so that you can safeguard your rights under the privacy laws.
BCC IT is responsible our processing of personal data. For more information on key concepts in the Personal Data Act, see a separate section on Glossary.
If you have any questions about this privacy policy or the assessments we have made, you can contact us at it@bcc.no or via our Discord server.
Our postal and physical address is:
BCC-forbundets Fellestjenester
Vålerveien 159
1599 MOSS
NORWAY
Organisation number 928 453 944
2. FIELD OF OPERATION
BCC IT’s operations involve the processing of personal data in various contexts:
- IT Community Activities
- IT Administration Activities
- Software Development and Support Activities
- Non-profit Business Activities
These activities are discussed in the sections below.
2.1 IT Community Activities
BCC IT coordinates IT Community activities in collaboration with other organisations affiliated with the BCC Federation as well as community members (hereafter collectively referred to as "Related Entities").
Under BCC IT Community Acitivites, all IT-related events, collaboration and communication organised by BCC IT (and/or related entities), where you are a participant or contributor are covered. Electronic communication services include text and video chat, telephone (including SMS), internet, cellular telephone and other IP services.
BCC IT organises virtual and physical events (hereafter referred to as "Events") and facilitates collaboration (hereafter referred to as "Collaboration") within the BCC IT Community using several media platforms. This includes platforms such as telephone, internet, smartphones etc.
BCC IT uses multiple tools/services/websites (hereafter referred to as "Tools") to support Events and Collaboration such as:
- Discord
- Zoom
- Teams
- Sharepoint
- Github
- BCC Sign-on
- MyShare (time registration)
- env0
- PowerBI
- Microsoft Azure
- Google Cloud Platform
- Amazon Web Services
- developer.bcc.no
2.2 IT Administration Activities
BCC IT provides IT administration services to organisations within the BCC Federation. This includes network administration, system administration, licence administration, user administration, user support, client device configuration, security awareness training etc. Some of these tasks are performed in collaboration with Related Entities including the BCC IT Community.
When performing tasks within the context of IT Administration, any actions taken may be logged (including personally identifiable information) for security and auditing purposes.
2.3 IT Software Development and Support Activities
BCC IT provides Software Development and Support services to organisations within the BCC Federation. This includes planning, developing, deploying, maintaining, monitoring and supporting software solutions. Some of these tasks are performed in collaboration with Related Entities including the BCC IT Community.
When performing tasks within the context of IT Software Development and Support, any actions taken may be logged (including personally identifiable information) for security and auditing purposes.
2.4 Non-profit Business Activities
This includes the situations where you come into contact with BCC IT as an organisation, and which are neither related to IT Community Activities nor IT Administration Activities or IT Software Development and Support Activities. As an organisation, BCC IT processes personal information related to, for example, camera surveillance in marked areas of our properties, through registration in our visitor systems, through participation in interviews, through letters in physical or digital format (e-mail) to the company, and through inquiries for user support. Non-profit business activities also include the relationship with own employees and those seeking employment with us.
3. PURPOSE
BCC IT processes personal information about you with ten overall purposes related to the four different parts of the non-profit business:
Summary
IT Community Activities
- To organise, host and promote community events.
- To facilitate communication within the community.
- To coordinate and recruit resources for IT-related projects and tasks
- To register participation (including time registration)
IT Administration Activities
- To provide necessary access to systems and resources
- To ensure system and data security and integrity
IT Software Development and Support Activities
- To provide necessary access to systems and resources
- To ensure system and data security and integrity
- To provide statistics on development activities
Non-profit Business Activities
- To carry out the organisation's tasks.
- To fulfill the requirements for compliance with legal provisions.
- To carry out our assignment related to the purpose of the non-profit business.
If your personal information is to be processed for a purpose other than that stated here the new purpose will be stated and parts of information given here will be repeated.
3.1 IT Community Activities
3.1.1 Organise, host and promote community events
BCC IT processes your personal information in order to be able to manage your registration to events, organise activities as part of events and tell you about upcoming events which you may be interested in.
3.1.2 Facilitate communication within the community
BCC IT processes your personcal information in order to identity you and give you access to community communication channels on platforms such as (but not limited to) Discord, Zoom, E-mail, Github and developer.bcc.no.
3.1.3 Coordinate and recruit resources for IT-related projects and tasks
BCC IT processes your personal information, including your skills, interests and availability, in order to manage community-based projects or tasks. We may use your personal information to contact you regarding potential or ongoing IT projects or tasks for organisations affiliated with the BCC Federation.
3.1.4 Register participation (including time registration)
BCC IT processes your personal information to keep track of participation in community-based events and/or volunteering. We use participation and time registration statistics to better understand and improve our community project management processes.
3.2 IT Administration Activities
3.2.2 Provide necessary access to systems and resources
BCC IT processes your personal information in order to be able to create and/or validate user accounts which give you privelliged access to systems or resources, necessary for performing IT administration related tasks. Your personal information will also be collected in order to sign non-disclosure agreements or similar where appropriate.
3.2.3 Ensure system and data security and integrity
BCC IT logs actions taken related to the systems and/or resources you access. Examples of actions that may be logged include logging in, accessing data, modifying data etc. Logs will contain timestamped and personally identifyable information such as your username, your location (e.g. IP-address).
This data may be analysed by humans and/or machines for security, troubleshooting or auditing purposes. Aggregated data may be used to better understand how systems are being used by administrators.
3.3 IT Software Development and Support Activities
3.3.2 Provide necessary access to systems and resources
BCC IT processes your personal information in order to be able to create and/or validate user accounts which give you privelliged access to systems or resources, necessary for performing softare development and support related tasks. Your personal information will also be collected in order to sign non-disclosure agreements or similar where appropriate.
3.3.3 Ensure system and data security and integrity
BCC IT logs actions taken related to the systems and/or resources you access. Examples of actions that may be logged include logging in, accessing data, modifying data etc. Logs will contain timestamped and personally identifyable information such as your username, your location (e.g. IP-address).
This data may be analysed by humans and/or machines for security, troubleshooting or auditing purposes. Aggregated data may be used to better understand how systems are being used by developers.
3.3 Non-profit Business Activities
3.3.1 Perform the organisation's tasks
BCC IT processes your personal information in order to be able to handle the organisation's tasks and duties related to its own employees, job seekers and consultants.
3.3.2 Compliance with legal provisions
BCC IT processes your personal data in order to fulfill our statutory obligations in connection with, for example, the accounting legislation and the archive regulations.
4. PERSONAL INFORMATION PROCESSING, BASIS AND PURPOSE
4.1 The personal information we process when you engage with the BCC IT Community
We process the following personal information about everyone who uses our Tools:
4.1.1 Available information about your device and the internet connection
When you use the Tools, we collect information about, for example, the name of the manufacturer of the computer, mobile phone, your TV box or smart TV, which operating system the device has, which browser version is used, as well as information about the connection to the Tools, such as IP address. The purpose of collecting this information is to provide you and other users with a better user experience, and to prevent misuse of the Tools.
The basis for our use of personal data for this purpose is legitimate interest. The legitimate interest is to improve and further develop the Tools for the benefit of you and other users.
4.1.2 Data collected via surveys or forms
When filling surveys conducted by BCC IT, you may be asked to fill in name, username, contact details, skills, preferences, availability, hours worked etc.
We use this information to plan and contact you regarding community projects and events. We also use it to improve organisation of community events, community collaboration and/or project management.
The basis for our use of personal data for this purpose is legitimate interest. The legitimate interest is to facilitate a community which you have expressed interest in engaging with.
4.1.3 Analysis and statistics
We analyze the use of and interaction with the Tools. The analysis is made based on actions performed on your device. The statistics are anonymized so that we are not able to link the information back to individuals. The basis for our use of personal data for this purpose is legitimate interest. The legitimate interest is to improve and further develop the Tools for the benefit of you and other users.
4.1.5 Cookies
The purpose of using cookies is to give you a better user experience. Cookies are small text files that can be used by websites to make a user’s experience more efficient. Some cookies are posted by third party services displayed on our website. We collect technical information about the type of browser used, whether a PC, mobile or tablet is used and which operating system, date and time of the visit and location based on the IP address. This makes it possible, for example, for us to adapt our services to the right device (for example mobile or desktop) and browser. We register, among other things, which pages are visited, how long the users are on the page, what pages they came from, where they click further and what they search for. This enables us to improve our tools and provide content that is relevant to our community.
4.1.6 Logged in user profile
If you are a logged-in user of the Tools, we process, in addition to mandatory fields such as name and e-mail address, the personal information you provide, such as your affiliation with organisations within the BCC Federation, usernames to tools such as Github and Discord, your skills and preferences etc.
Logged in users will receive personalized access to Tools. In order to offer you this service, BCC IT analyzes your usage patterns in order to uncover behaviors and preferences to provide recommendations and content that are relevant to you. Your personal information tells us something about how and when you use the Tools, and whether you consume content across devices and platforms as well as how often you use our content. All your interactions with the Tools may affect this result.
The basis for our use of personal data for this purpose is based on your consent in when filling out community surveys or consent given when logging into our Tools (such as developer.bcc.no).
4.1.7 Contributions
If you contribute to the community through Github pull-requests, time registration or similar, BCC IT analyzes and reports on these contributions within the BCC IT Community. The data may also be shared with Related Entities where necessary and/or useful.
The basis for our use of personal data for this purpose is legitimate interest. The legitimate interest is to motivate and engage the BCC IT community and improve project management and software delivery processes.
4.2 NON-PROFIT BUSINESS ACTIVITIES
4.2.1 What is registered when you contact us by phone
If you call us, your telephone number will be stored together with information about when you called in our telephone exchange and on the devices to which the call was connected. There is no connection to the central address book or name lookup. The basis for our use of personal data for this purpose is legitimate interest. The legitimate interest is to ensure the safety of BCC IT’s employees and properties.
4.2.2 What is registered when you contact us by e-mail
We use e-mail to perform our work tasks. E-mails we have received will be deleted when they are no longer needed for our daily task solution. In practice, this means that such e-mails should not normally be stored for more than about a year.
We scan all incoming and outgoing emails for viruses and malware.
If you want to send us information that you think is sensitive, first use the telephone solution.
The basis for our use of personal data for this purpose is legitimate interest. The legitimate interest is to secure BCC IT’s IT infrastructure and that inquiries to BCC IT take place in a way that safeguards your security in a good way.
4.3.3 What is registered when you visit our premises
Visitors and employees of BCC IT’s offices register in our access system or in our visitor logs. The electronic logs are deleted after two years, while the physical books are shredded when they are printed out.
The basis for our use of personal data for this purpose is legitimate interest. The legitimate interest is to ensure access to BCC IT’s premises.
4.3.4 Information about job seekers
If you are applying for a job at BCC IT, we need to process information about you to assess your application.
The basis for this is an agreement. If your application contains special categories of personal data, our basis for processing is the Privacy Ordinance, Article 9 (2) (b) and (h). All applications are recorded and archived.
The archived applications are kept for 6 months. Exceptions for this must be agreed upon with the applicant.
4.3.5 Editorial activities
BCC IT will be able to publish photos and films with the names of employees during interviews and editorial coverage of BCC IT’s productions, on BCC IT’s websites, intranet, online TV and on BCC IT’s profiles in social media.
The basis for our use of personal data for this purpose is an agreement through given consent as well as information about this in the employment contract.
4.3.6 Audit logging
BCC IT may log your activity when accessing tools, services and systems you have gained access to through your collaboration with BCC IT. This is done for security and auditing purposes.
The basis for our use of personal data for this purpose is legitimate interest. The legitimate interest is to ensure the security, integrity and reliablity of tools, systems and services we operate.
5. DATA PROCESSORS AND THIRD PARTIES
5.1 IT Community Activities
In order to provide the Services to you, BCC IT uses several external service providers. Some of these are data processors that process personal data on behalf of BCC IT, while others are third parties that process personal data on their own behalf.
5.1.1 Data Processors
BCC IT uses several data processors that give us insight into usage patterns and interaction with our Services. An example of such data processors is Google Analytics. More information about Google’s privacy policy can be found here: https://policies.google.com/privacy
When a data processor processes personal data on behalf of BCC IT, this is regulated in data processor agreements or through other mechanisms that ensure the secure processing of your personal data.
5.1.2 Third Party
To adapt and further develop and host the Tools, applications and services delivered by BCC IT, we use third-party services from providers such as Google, Microsoft, Amazon, Discord, Github, Zoom etc. In addition, third-party suppliers are used for streaming Internet TV. BCC IT will then, among other things, be able to see overall information (including age, gender and location), get statistics on how many people have been on the site and seen the posts, how many people have responded with clicks and reactions, etc. Third party Tools and services are subject to the third party privacy policy. We encourage you to familiarize yourself with these.
5.2 IT Administration Activities
BCC IT cooperations with other organisations affiliated with the BCC Federation in order to provide, secure, maintain and support IT administration services. In addition tools and services from third party vendors and suppliers such as Microsoft, Google, Amazon, Teamwork and Notion are utilized in connection with IT administration tasks. Third party Tools and services are subject to the third party privacy policy. We encourage you to familiarize yourself with these.
5.3 IT Software Development and Support Activities
BCC IT cooperations with other organisations affiliated with the BCC Federation in order to develop, deploy, host, test and analyse softare development projects and services. In addition tools and services from third party vendors and suppliers such as Microsoft, Google, Amazon, Miro, Notion are utilized in connection with software development and support tasks. Third party Tools and services are subject to the third party privacy policy. We encourage you to familiarize yourself with these.
5.3 Non-profit Business Activities
BCC IT has agreements with a number of data processors that process personal information related to the company’s activities. This is in order to be able to handle, for example, salaries and telephone subscriptions to employees, security for BCC IT’s IT infrastructure and services, as well as physical security for employees and visitors.
6. YOUR RIGHTS
You can exercise your rights by contacting us via Contact. You are entitled to a response without undue delay, and no later than within 30 days.
6.1 Withdrawal of Concent
In cases where the foundational basis for your personal data is linked to consent, you can withdraw your consent, for example by accessing your user profile, by accessing the settings of the Service, or by contacting us.
6.2 Transparency of Information
You can request access to which personal data BCC IT processes about you.
6.3 Correction of Personal Information
You can ask us to correct or supplement information about yourself that is incorrect or misleading. If you have created a user profile with (or shared with) BCC IT, you have the opportunity to go in and make the changes under settings/profile.
6.4 Deletion of Personal Information
In some situations, you can ask us to delete information about yourself. Read more about the right to deletion on the Data Protection Authority website.
6.5 Other Rights
If you believe that we have registered incorrect personal information about you, you wish to oppose the processing of personal information, or you have experienced something that you believe is a breach of the privacy regulations, we ask that you contact us via the Contact Form. You can also complain about our processing of personal data to the Norwegian Data Protection Authority.
You can limit the amount of information processed by using private mode settings on your device. This means, for example, that you can block cookies in your browser, or prevent the browser from logging your browser and tracking websites you visit by putting your browser in private mode.The quality of the Services may be affected by such measures.
7. INFORMATION SECURITY
BCC IT’s general principles for information security apply to all users, systems and services in BCC IT. Measures for compliance with information security also apply to the security of personal data used for editorial purposes.
These measures shall contribute to BCC IT’s information values being secured in a systematic and satisfactory manner. The basic principles are used as a basis for planning, organising and implementing all projects that deal with information systems.
8. GLOSSARY
By privacy is meant a statutory protection of privacy and your personal integrity. The protection includes your right to influence the use and dissemination of personal information about you.
By person is meant a living identified or identifiable natural person.
Personal information means information and assessments that can be linked to you as a person. Examples can be name, address, telephone number, e-mail address, IP address, car license number, photos, date of birth and social security number. Information about behavior patterns is also considered personal information. This can be, for example, information about what TV series you are watching and where you are. Information about you that informs about your racial or ethnic background, about your political, philosophical or religious beliefs, health conditions, sexual relationships, and any information that you have been suspected, charged, indicted or convicted of a criminal offense, as well as union membership, is defined as sensitive personal information.
By processing of personal data is meant all operations performed with personal data, such as collection, registration, structuring, storage and dissemination.
By data controller is meant the company that is responsible for the processing of personal data, determines the purpose of the processing, and which instruments are to be used.
Personal data shall only be processed for specific, explicit, stated and legitimate purposes.
A data processor is a company that processes personal data on behalf of the data controller.
A data processor agreement is an agreement between the data processor and the data controller on how personal data is to be processed.
By basis of processing is meant the statutory basis for the processing of personal data. BCC IT uses one of these treatment bases:
- the registered person has consented to the processing, cf. the Privacy Ordinance art. 6 (1) (a)
- it intends to fulfill an agreement to which the data subject is a party, cf. the Privacy Ordinance art. 6 No. 1 b)
- it is necessary for purposes related to the legitimate interests pursued by the data controller or a third party, unless the data subject’s interests or fundamental freedoms take precedence and require the protection of personal data, cf. the Privacy Ordinance art. 6 No. 1 f)
By consent is meant a voluntary, specific, informed, unambiguous and active statement from you that you accept the processing of given personal data. A consent can be withdrawn at any time.
By BCC IT Community or IT Community is meant any person associated with a member organisation affiliated with the BCC Federation who wishes to engage in discussions, events, projects etc. facilitated by BCC IT or Related Entities.
BCC IT may process personal data if it is necessary to fulfill an agreement to which you are a party. The same applies where the processing is necessary to implement measures that you have requested before entering into an agreement.
BCC IT may process personal data if it is necessary to safeguard a legitimate interest that outweighs the interests of the individual’s privacy. BCC IT uses this treatment basis only where the invasion of your privacy is very small, and where the advantages outweigh the disadvantages.