Privacy Policy
PRIVACY POLICY
Effective date: 15.09.2020
This privacy policy of Nordic Circular Hotspot, with registered address at St. Halvardsgate 33 Bygg H. 0192 Oslo (subsequently referred to as “we,” “our,” or “us”) regulates privacy matters of the Circular Finance for the Circular Economy (Online Event) and is based on data and is based on data protection laws of Norway and European General Data Protection Regulation 2016/679 (GDPR), California Consumers Privacy Act (CCPA) and Brazil’s Lei Geral de Proteção de Dados (LGPD). This privacy policy discloses what we collect and how we use, disclose, transfer, and store your information once you are registering for our Online Event. Please note that we are acting as data controllers solely with regards to Online Event. Other functions or third party online events are not under our control.
By registering for an Online Event, you agree to the terms of processing of your personal data described below.
Definitions
The terms listed below have the meanings assigned to them in the Regulation (EU) 2016/679 (GDPR) and LGPD:
Personal data means an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, etc.;
Processing means any operation or set of operations which is performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or destruction;
Data subject (or you) is an identified or identifiable natural person who can be identified, directly or indirectly, based on particular Personal Data.
Data Collected
You agree that Nordic Circular Hotspot.will be the data controller of personal data collected during Online Event and may collect, process, use, and save your personal data when you are registering and visiting Online Event. Your consent will be collected when you register for Online Event. Otherwise, we may ask you for a declaration of consent under data protection laws when you decide to register for Online Event in a separate way. This consent can be withdrawn at any time.
Personal data includes the following:
Account registration data: name and surname, user status (participant, event organizer, exhibitor)
Contact details: company name, phone number.
Content uploaded during Online Event - images, videos, presentations, and other files where your personal data is mentioned.
Statistical data: for example the number of users visiting the event, number users visiting a particular exhibitor panel.
Payment data: payment account, amounts of payment, and purpose of payment.
Use of the Data
We use, process and store your personal data for the following purposes:
1. To provide an Online Event that we organise and control. For this purpose, we process account registration data. For example, we will use this data to register you for our Online Event, provide you with a certain level of access to functionalities. We will use your communication data for your participation in Online Event (for example when you participate in the event chat). Please note that some of your profile data (the name and surname you provide to us) may be shared with other users whom you connected to, and that your profile data will be made searchable by other Online Event participants.
2. To inform you about Online Event you registered for and about upcoming Online Events.
3. For legal purposes. We may use any type of personal data when processing is required by the applicable law.
Legal basis
We process EEA-based User’s Personally identifiable data under the following legal bases:
1. On the basis of consent - on the basis of Art. 6 (1) (a) GDPR; Art 7 (I) LGPD. Under this legal basis we (1) provide Online Event to you; (2) manage your account with regards to Online Event and provide you with customer support; (3) communicate with you regarding Online Event; (4) allow you to become an exhibitor for the event.
2. For other legitimate interests, unless those interests are overridden by user’s interests or fundamental rights and freedoms that require protection of personal data. For example, we rely on our legitimate interest when it comes to (1) diagnostic analytics to assess the number of visitors, exhibitors, posts, page views, etc.; (2) optimization of our visitors’ experience; (3) fraud prevention; (4) network and information security, (5) analyzing customer satisfaction.
How do we protect your data
We process personal data in a way that assures an appropriate level of security, including protection against unauthorized Processing, destruction, accidental loss, or damage while applying suitable organizational and technical measures under industry standards.
Our physical security complies with industry standards such as ISO 27001 for physical security and availability. All data transits are encrypted to align with best practices with Secure Socket Layer technology. We are using industry-standard data transport protocols. We never store personal data on devices like USB or CD. We are using security reports to monitor access patterns and to proactively identify and mitigate potential threats.
All data are stored in the territory of the European Union. All data are automatically replicated in real-time to secondary hot failover databases and file repositories in the same data center.
All our personnel and contractors are subject to confidentiality agreements. Only authorized personnel have granted minimum access on a need-to-have basis to personal data.
Service providers.
Our service providers acting as processors based in the EEA:
1. We use MyOnvent online event hosting services brought by MyOnvent AS, a company registered under the laws of Norway with a registered address at Bureisergrenda 170 2365 Åsmarka. MyOnvent is acting as a data processor with regards to personal data collected. MyOnvent is located in Norway. To find more about MyOnvent please refer to their privacy policy available at https://myonvent.com/privacy-policy/. Purpose of processing - providing of Online Event. Legal basis: Art. 6 (1)(a) GDPR; Art 7 (I) LGPD.
Data transfers
We will never sell your personal data to third parties.
The information we provide to you may be transferred to and processed on our servers, or servers of third-party providers. If such third party providers are located outside EEA, we either enter into standard (“model”) contractual clauses or ensure that the transfer is pursuant to another valid mechanism under GDPR, such as the service provider being certified under the EU-U.S. Privacy Shield Framework.
As far as the transmitting of personal data to a third party is not explicitly permitted by law, you agree that we may, if necessary, transmit personal data to law enforcement offices when relevant to defending against a governmental and public safety threat or the prosecution of a criminal act. Furthermore, you agree that we may, if necessary and related to legitimate law enforcement or criminal prosecution interests, transmit personal data to a third party. Transmission of data is not necessary and will not occur if a preliminary legal or law enforcement proceeding can be initialized or has already been initialized.
You retain at all times the possibility to object replacement of data controller, subcontractors or sub-processors handling personal data to such changes or to terminate the contract with us.
We retain the right to share your personal data as part of change in control, merge or sale, or in preparation for any of these events. Any third party which further buys us or part of our business will be entitled to continue to use your data, but only in the manner set out in this Privacy Policy unless you agree otherwise.
Your Privacy Options according to GDPR
According to GDPR, you have the following rights:
Right to rectification. You have the right to request to rectify, without undue delay, any incorrect data pertaining to you.
Right to limitation of processing. You can limit the use of personal data processed.
Right of access. You may request a copy of personal data we collected during the event.
Objecting to or restricting the use of Personal Data. You can ask to stop using all or some portion of Personal Data or limit use thereof by requesting its erasure as described above or sending us a request
The right to lodge a complaint with supervisory authority. You have the right to lodge a complaint with a competent data protection supervisory authority.
The right to data portability. You can receive personal data in a machine-readable format by sending respective requests at martin@naturalstate.no
Exercise of rights
To exercise your right to access you have a right to send us a request. Upon request, we will endeavor to provide information free of charge. If we are data controllers with regards to personal data collected we will provide a response. We may charge a reasonable fee if the request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
If we are data controllers, we shall review and pronounce on the request within 1 month as of its filing. This period may be extended by further two months, if necessary, for example, if your request is particularly complex or you have made a number of requests. We shall inform you as to any such extension within 1 month as of receipt of the request, stating the reasons for the delay. When you file a request by electronic means, the information is provided electronically, if possible, unless you have requested otherwise.
Upon the filing of a request by an authorized person, the notarized power of attorney must be attached to the request. In case of death of the natural person, his / her rights are exercised by his / her heirs and the certificate of heirs shall be attached to the request. The heritage should be confirmed by a respective certificate, issued in the dead person’s jurisdiction.
Where data does not exist or their provision is forbidden by law, access of the requesting party to such data is refused.
Third-party links
Our Online Event may contain links to other websites, services, and web addresses. This privacy policy applies only to Online Events you registered for, not those external websites, services and web addresses that we link to. Those websites, services, and web addresses have their own privacy policies. We are not responsible for these external websites and services and their privacy policies and practices, as well as their compliance with applicable data protection laws. In addition, if you linked to an Online Event from an external site, we cannot be responsible for the privacy policies and practices of the owners and operators of that external website and recommend that you check the privacy policy of that external website.
Retention
We will store personal data for as long as it is reasonably necessary for achieving the purposes set forth in this privacy Policy which includes (but is not limited to) the period during Online Event, unless stipulated otherwise in our agreement with you. We may also retain and use personal data as necessary to comply with legal obligations, resolve disputes, and enforce agreements.
Age Limitation
Our Online Event is not for users who are under 18 years old. We do not knowingly process any personal data from persons under 18 years of age, and any such data shall be immediately deleted upon detection. If you learn that anyone younger than 18 has provided us with personal data, please contact us at XXXX[ADD YOUR E-MAIL HERE].
Privacy Policy Changes
We may amend this Privacy Policy from time to time, and we shall inform you about any such amendments in the future. The use of data we collect, process, and save now is subject to the version of this Privacy Policy that is in effect at the time users provide such data.
Information for California and Nevada Residents
Under California Consumers Privacy Act (CCPA) and Nevada Privacy Law we have to inform consumers based in California and Nevada about our use, disclosure, processing and collection of personal information. This section explains your rights as of California/Nevada consumer or resident pursuant to this act. Categories of personal data that we collect are described in the “Data Processing” section of this Privacy Policy. The purposes of processing of personal data are described in the “Use of personal data” section of this Privacy Policy.
We will never collect, sell, and/or disclose personal data to third parties or service providers for a business purpose, except disclosure to event organisers, whose role is explained in the “Event organizers” section. Please see respective event organiser privacy policy to understand how your personal data will be treated.
CCPA prohibits any kind of discrimination acts agains California consumers for executing their rights granted pursuant to CCPA and imposes requirements and restrictions on any kinds of financia incentives related to collection, processing and use of California consumers personal data. Due to this, we will not discriminate against you and will provide, and will not deny, a different level of quality of services and/or goods. Also, we will charge or suggest that we will charge different prices or rates or impose penalties. However, we reserve the right to do so, when it is reasonably related to the value provided to the consumer by the consumer’s data.
We honor rights granted to consumers pursuant to CCPA and Nevada Privacy Law, so we will accept verifiable requests of copy, deletion and right to know. California and Nevada consumers can execute your right twice per 12 month period.
Deletion request. Right to request deletion of personal data we collected about you.
Copy request. Right to request a copy of personal data we collected about you.
Right to know. Description of personal data we collected about you within the last 12 month period as per the CCPA.
You can execute your rights by sending email to martin@naturalstate.no. When you file a request by electronic means, the information is provided electronically, if possible, unless you have requested otherwise.
For California based consumers: we will provide you with a response within 45 days from the moment we received your request and verify your identity.
For Nevada based consumers: we will provide you with a response within 90 days from the moment we received your request and verify your identity.
Please take into account that we will satisfy your request only when we have verified your identity to a reasonable degree of certainty. You are entitled to authorise your agent to execute your rights. However, please note that we will verify your agent’s authorisation.
Information for Brazilian residents
Brazil’s Lei Geral de Proteção de Dados, the Brazilian General Data Protection Law, Federal Law no. 13,709/2018 (“LGPD”) will become effective on August 16, 2020. The LGPD is a legal policy in Brazil, both online and offline, in the private and public sectors. As supervisory authority, the National Data Protection Authority (ANPD) has been created and charged with overseeing and enforcing the LGPD. LGPD requires that Brazilian personal data processed by an organization is appropriately and sufficiently managed and protected.
We honor Brasilian residents rights and allow to execute the following rights granted by the article Art 18 of LGPD:
The right to confirmation of the existence of the processing;
The right to access the data;
The right to correct incomplete, inaccurate or out-of-date data;
The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
The right to the portability of data to another service or product provider, by means of an express request
The right to delete personal data processed with the consent of the data subject;
The right to information about public and private entities with which the controller has shared data;
The right to information about the possibility of denying consent and the consequences of such denial; and
The right to revoke consent.
You can execute your rights by sending email to martin@naturalstate.no. When you file a request by electronic means, the information is provided electronically, if possible, unless you have requested otherwise.
We will provide you with a response within:
Response to the right of access request will be provided within 15 days from the moment we received your request and verify your identity.
Other requests will be executed within reasonable time, but not more than 30 days from the moment we received your request and verified your identity.
Please take into account that we will satisfy your request only when we have verified your identity to a reasonable degree of certainty. You are entitled to authorise your agent to execute your rights. However, please note that we will verify your agent’s authorisation.
Supervisory Authority
We’re regulated by the- for example - Norwegian Data Protection Authority (DPA). You can also contact them for advice and support by sending e-mail to https://www.datatilsynet.no/en/about-us/contact-us/