EITI Privacy policy for the processing of personal data in connection with the voicing of concerns

All processing of personal data by the EITI Association, including data relating to both the person voicing a concern and any reported individual, shall take place in accordance with this policy.

Personal data will, in many cases, be processed in handling concerns. This privacy policy sets out how the EITI processes personal data in connection with the voicing of concerns. The EITI is the data controller for the processing of personal data submitted through the “Voice a concern” facility on the EITI website.

All concerns handled according to the EITI’s Policy on voicing concerns are recorded by the EITI International Secretariat. The content of the concern determines the extent to which it can be made public.

Concerns may be submitted through various channels, as outlined in the Policy on voicing concerns. When using the online form, the individual may choose to remain anonymous by creating a separate email address and/or by omitting their name or phone number.

EITI’s purpose in processing the personal data is to address the matters raised in concerns submitted.

Personal data may also be processed in connection with follow-up actions on concerns raised, to clarify the facts and take necessary action. The individual voicing a concern is encouraged to provide only information that is relevant to highlighting the circumstances that are reported and to avoid communicating any unnecessary personal data.

The EITI will collect the following personal data and information:

• The name and/or private contact and identification data of the person voicing a concern, and the same for any reported individuals, to the extent provided by the individual submitting the concern;
• Any further personal data provided in a voicing of concern; and
• Any personal data necessary in handling a concern.

The EITI Association is organised under Norwegian law. The EITI International Secretariat is located in Oslo, Norway. Norway is associated to the European Union (EU) by the Agreement on the European Economic Area (EEA). The General Data Protection Regulation (GDPR) applies in Norway.

Processing of personal data in relation to concerns takes place in accordance with the EITI's legal obligation as regulated in the GDPR Article 6 (1)(c), i.e. the processing is necessary for compliance with a legal obligation to which the controller is subject.

Depending on the content of the concern, the EITI may also access and process special categories of personal data, e.g. personal data relating to physical health as well as suspected criminal activities. The processing of such categories of personal data is regulated by the GDPR Article 9 and Article 10. The processing of special categories of personal data, to the extent that these personal data are necessary to process, will in such case be processed pursuant to the GDPR Article 9(2)(g), as to the extent the processing is necessary for reasons of substantial public interest under the applicable national law.

Special categories of personal data may also be processed with the support of the GDPR Article 9(2)(b), if the processing is necessary for purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment law. Any processing of personal data relating to criminal activities (to the extent that the data is regulated by the GDPR Article 10) will be processed, to the extent that this personal data is necessary to process, pursuant to the Norwegian Personal Data Act Section 11 and supplementary provisions in the GDPR.

The EITI's processing of personal data will be limited to that personal data necessary to handle the concern and further investigations. Personal data may also be processed to take necessary measures in response to the information that emerges in any case, if it is necessary for the report to be used as evidence in legal proceedings, or otherwise in compliance with laws or regulations.

Only personal data relevant for the handling of the concern and further investigations will be processed. Any irrelevant data submitted by mistake will be deleted as soon as possible. To manage the investigation, individuals voicing concerns are requested to avoid including personal data in notices, emails or other written form unless absolutely necessary.

The EITI takes due care to protect personal data by using IT infrastructure to ensure confidentiality, integrity and access to personal data. Security measures are implemented to protect personal data against unlawful or unauthorised processing (such as unauthorised access, loss, destruction, or damage).

Concerns may relate to individuals, companies, governments or other organisations and may cover different topics. Personal data will be stored in accordance with the overview below to fulfil the purposes for which the data was collected.

• Individual data (EITI Code of Conduct) will be retained for 10 years, in line with requirements under tax, labour and health and safety laws;
• Company, government or other organisational data will be retained for the duration of the ongoing national contract, if applicable, plus five years afterwards for legal compliance;
• Environmental monitoring or compliance data will be retained for 20 years to meet possible regulatory obligations.

Where investigations are prolonged, data may be retained until a final decision has been reached and the period for appeals has expired.

To fulfil the purposes described herein, the EITI may need to share personal data with other companies, authorities and organisations.

• The category of recipients that may process personal data on behalf of the EITI are, for example, companies that offer IT services that handle the operation of complaints, support during an investigation or provide technical support and maintenance of EITI’s IT solutions (personal data that is stored in our IT environment);
• When personal data is shared with a processor, the purpose is compatible with the GDPR purposes for the collection of the information to fulfil EITI’s legal obligations. Our processors are asked to ensure that they can provide sufficient guarantees regarding the security and the confidentiality of the personal data;
• The EITI has written agreements with processors of personal data, in which they guarantee to maintain the security of the personal data that is processed and undertake to comply with the EITI's security requirements as well as restrictions and requirements regarding the international transfer of personal data. If necessary to fulfil legal obligations, the EITI may share personal data with other organisations and authorities, e.g. law enforcement agencies. These types of recipients will be independent personal data controllers and have their own purpose for the processing of data. EITI has no control over how such personal data will be processed.

The EITI aims to process personal data within the EU/EEA. However, as an international organisation, data may from time to time have to be transferred outside the EU/EEA. When personal data is processed by a provider outside the EU/EEA, it will be limited to what is necessary for that purpose. The EITI will take all reasonable legal, technical and organisational measures to ensure the same level of protection as within the EU/EEA. If personal data is processed outside the EU/EEA, the level of protection is guaranteed either through a decision from the European Commission that the country in question ensures an adequate level of protection, or by using so-called appropriate safeguards. Examples of appropriate safeguards are approved codes of conduct in the recipient country, standard contract clauses or binding corporate rules.

Individuals whose personal data is processed by the EITI have the following rights under the GDPR:

• To request access to and rectification of personal data if the data is inaccurate;
• To request restrictions on the EITI's processing of the personal data;
• To request erasure of personal data;
• To request that personal data provided to the EITI be transferred to another controller in a structured, commonly used and machine-readable format, where technically feasible.

If you have questions about this policy or wish to exercise any of your rights, please contact the EITI International Secretariat at [email protected].

Complaint

If you are not satisfied with how your personal data has been handled, you may submit a complaint to the relevant supervisory authority. In Norway, this is:

The Norwegian Data Protection Authority (Datatilsynet)
Postboks 8177
NO-0034 Oslo
E-mail: [email protected]

There may also be other competent data protection authorities you may contact depending on your location, nationality and place of residence.